[Mono-bugs] [Bug 79986][Nor] Changed - TlsException at TlsClientCertificate.ProcessAsTls1 using SslServerStream

Mon Nov 20 10:57:31 EST 2006

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by pawel.sakowski at mindbreeze.com.

http://bugzilla.ximian.com/show_bug.cgi?id=79986

--- shadow/79986	2006-11-20 09:59:56.000000000 -0500
+++ shadow/79986.tmp.10567	2006-11-20 10:57:31.000000000 -0500
@@ -1,13 +1,13 @@
 Bug#: 79986
 Product: Mono: Class Libraries
 Version: 1.2
 OS: GNU/Linux [Other]
 OS Details: 
-Status: RESOLVED   
-Resolution: NOTABUG
+Status: REOPENED   
+Resolution: 
 Severity: Unknown
 Priority: Normal
 Component: Mono.Security
 AssignedTo: sebastien at ximian.com                            
 ReportedBy: pawel.sakowski at mindbreeze.com               
 QAContact: mono-bugs at ximian.com
@@ -107,6 +107,34 @@
 ------- Additional Comments From sebastien at ximian.com  2006-11-20 09:59 -------
 SslServerStream stream = new SslServerStream(new
 NetworkStream(sock.Accept(), true), x509, true, false);
 
 The first 'true' is for clientCertificateRequired, which you aren't
 supplying with wget. Change this to false and your sample works.
+
+------- Additional Comments From pawel.sakowski at mindbreeze.com  2006-11-20 10:57 -------
+Does this mean, that SslServerStream(x,x,true,x) rejects by design any
+connections failing to provide a valid client cert? I would have
+expected that a client cert gets requested, but if the client fails to
+provide one, the connection is anyway usable. If that's the case, the
+exception message isn't very helpful. I would say, the expected
+behavior is the one exhibited by Mono 1.1.13.4 (not 100% sure about
+the exact version, take it ...+-2). In that version, the third
+argument specifies whether or not the client cert is requested, but
+even it the client doesn't have a cert to comply with that request,
+the connection carries on (server-side, the client cert property
+returns null in that case). Has this behavior been redesigned? The
+constructor's arguments sure haven't.
+
+Good for you that a scenario exists where SslServerStream works.
+However, that doesn't help me much. I'm requesting client certs
+(saying "true") because I do use and need them. The clients will not
+send their certificates over unless explicitly requested to do so --
+which is why I'm requesting them server-side. A server stream with
+clientCertificateRequired==false is useless for me. Some clients will
+and some won't send over a certificate, according to a
+product-specific logic.
+
+Or are you saying that Mono doesn't support both clientcert-less and
+clientcert-ful connections to one server anymore and I should provide
+separate endpoints for those two cases? Or should I use another
+constructor or another class to support both?
