[Mono-bugs] [Bug 77047][Nor] Changed - CERT_E_PURPOSE error on certificate

bugzilla-daemon at bugzilla.ximian.com bugzilla-daemon at bugzilla.ximian.com
Tue Dec 20 15:24:46 EST 2005 

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by sebastien at ximian.com.

http://bugzilla.ximian.com/show_bug.cgi?id=77047

--- shadow/77047	2005-12-20 15:06:58.000000000 -0500
+++ shadow/77047.tmp.14884	2005-12-20 15:24:46.000000000 -0500
@@ -1,14 +1,14 @@
 Bug#: 77047
 Product: Mono: Class Libraries
 Version: 1.1
-OS: 
+OS: unknown
 OS Details: 
-Status: NEW   
+Status: NEEDINFO   
 Resolution: 
-Severity: 
+Severity: Unknown
 Priority: Normal
 Component: Mono.Security
 AssignedTo: sebastien at ximian.com                            
 ReportedBy: colin at univ-metz.fr               
 QAContact: mono-bugs at ximian.com
 TargetMilestone: ---
@@ -33,6 +33,39 @@
 Expected Results:
 it doesn't.
 
 thanks,
 
 Cyrille.
+
+------- Additional Comments From sebastien at ximian.com  2005-12-20 15:24 -------
+No surprise here ;-)
+
+The key element is that Mono provides both a client and a server-side
+SSL stream. This means that...
+
+The client-side handshakes (namespace
+Mono.Security.Protocol.Tls.Handshake.Client) check for the server
+certificate (TlsServerCertificate.cs).
+
+The server-side handshakes (namespace
+Mono.Security.Protocol.Tls.Handshake.Server) check for the client
+certificate (TlsClientCertificate.cs).
+
+Both private methods are named checkCertificateUsage (in both files)
+but they don't make the same checks (well some of them are similar but
+some are different).
+
+Now in your case (using tlstest) you're using the client stream, so
+it's the TlsServerCertificate.checkCertificateUsage method that gets
+called (to check the server certificate) and the CERT_E_PURPOSE means
+that the call returned false.
+
+So it looks like you're using a v3 x.509 certificate without the
+appropriate extensions to mark the public key as usable for
+server-side SSL. Which leads me to believe that you didn't use Mono's
+(or even MS) makecert to create that certificate and, more important,
+that you didn't provide your tool with the right options to create a
+server-side certificate.
+
+Please attach your SSL certificate to the bug report if you want me to
+check what's wrong with it.

More information about the mono-bugs mailing list