[Mono-bugs] [Bug 81511][Nor] New - TlsClientCertificate verifyCertificateUsage differs from spec
bugzilla-daemon at bugzilla.ximian.com
bugzilla-daemon at bugzilla.ximian.com
Wed May 2 03:36:49 EDT 2007
Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.
Changed by bugzilla at woy.nl.
http://bugzilla.ximian.com/show_bug.cgi?id=81511
--- shadow/81511 2007-05-02 03:36:49.000000000 -0400
+++ shadow/81511.tmp.3903 2007-05-02 03:36:49.000000000 -0400
@@ -0,0 +1,37 @@
+Bug#: 81511
+Product: Mono: Class Libraries
+Version: 1.2
+OS: other
+OS Details:
+Status: NEW
+Resolution:
+Severity:
+Priority: Normal
+Component: Mono.Security
+AssignedTo: sebastien at ximian.com
+ReportedBy: bugzilla at woy.nl
+QAContact: mono-bugs at ximian.com
+TargetMilestone: ---
+URL:
+Cc:
+Summary: TlsClientCertificate verifyCertificateUsage differs from spec
+
+I'm using an SslServerStream in combination with Client Authentication.
+The TlsClientCertificate.checkCertificateUsage( X509Certificate ) method
+always returns false wich results in an CERT_E_PURPOSE error.
+
+The ExchangeAlgorithmType is always RsaKeyX wich seems to be correct. This
+results in checking for an KeyUsageExtension that supports
+KeyUsage.keyEncipherment.
+
+But as I can read in this OpenSsl documentation an client certificate has
+to support digitalSignature. Only the server certificate has to support
+KeyEncipherment.
+
+http://www.openssl.org/docs/apps/x509.html
+also the following document seems to support this
+http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html
+
+Steps to reproduce this:
+Create a SslServerstream and connect to the server using a client
+certificate that does support DigitalSignature but no KeyEncipherment.
More information about the mono-bugs
mailing list