[Mono-bugs] [Bug 336058] New: SSL renegotiation problem with webservice client-side certificates

bugzilla_noreply at novell.com bugzilla_noreply at novell.com
Tue Oct 23 12:08:58 EDT 2007 

https://bugzilla.novell.com/show_bug.cgi?id=336058

           Summary: SSL renegotiation problem with webservice client-side
                    certificates
           Product: Mono: Class Libraries
           Version: 1.2
          Platform: i386
        OS/Version: RHEL 4
            Status: NEW
          Severity: Normal
          Priority: P5 - None
         Component: Sys.Web.Services
        AssignedTo: atsushi at ximian.com
        ReportedBy: samuel_carriere at hotmail.com
         QAContact: mono-bugs at ximian.com
          Found By: Other


There is an issue with webservice client certificates with mono 1.2.5 : it
seems not to support SSL renegotiation.

Apache configuration :
The Apache httpd server doesn't require client authentication, except for the
"/webservice" location.
The httpd.conf configuration file contents :

SSLVerifyClient none
<Location /webservice>
   SSLVerifyClient require
</Location>

This kind of configuration causes a SSL security renegotiation (see
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslverifyclient),
when the client hits this kind of URL : https://server/webservice/server.php

Mono test case :
This is a simple web service call, with client certificate.

static void Main(string[] args)
{
   // Instanciate webservice client, with client certificate
   WSAddition.Addition client = new testWsSSL.WSAddition.Addition();
   X509Certificate2 Cert = new X509Certificate2("/my/clientCertificate.p12",
"password");
   client.ClientCertificates.Add(Cert); 
   // Call webservice method
   int result = client.add(5,6);
   Console.WriteLine("Result : " + result);
}

This test program crashes with the following stack trace :

Unhandled Exception: System.Net.WebException: Error getting response stream
(ReadDone1): ReceiveFailure ---> System.IO.IOException: EndWrite failure --->
System.Net.Sockets.SocketException: The socket has been shut down
  at System.Net.Sockets.Socket+SocketAsyncResult.CheckIfThrowDelayedException
() [0x00000]
  at System.Net.Sockets.Socket.EndSend (IAsyncResult asyncResult,
System.Net.Sockets.SocketError& errorCode) [0x00000]
  at System.Net.Sockets.Socket.EndSend (IAsyncResult result) [0x00000]
  at System.Net.Sockets.NetworkStream.EndWrite (IAsyncResult ar) [0x00000] ---
End of inner exception stack trace ---

  at System.Net.Sockets.NetworkStream.EndWrite (IAsyncResult ar) [0x00000]
  at Mono.Security.Protocol.Tls.RecordProtocol.EndSendRecord (IAsyncResult
asyncResult) [0x00000]
  at Mono.Security.Protocol.Tls.RecordProtocol.SendRecord (ContentType
contentType, System.Byte[] recordData) [0x00000]
  at Mono.Security.Protocol.Tls.RecordProtocol.SendAlert
(Mono.Security.Protocol.Tls.Alert alert) [0x00000]
  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback
(IAsyncResult asyncResult) [0x00000] --- End of inner exception stack trace ---

  at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult)
[0x00000]
  at System.Net.HttpWebRequest.GetResponse () [0x00000]
  at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse
(System.Net.WebRequest request) [0x00000]


It doesn't crash with this apache configuration :

SSLVerifyClient require
<Location /webservice>
   SSLVerifyClient require
</Location>


Another thing worth to mention : there seems to be no SSL renegotiation problem
with the HttpWebRequest class, because this test program works :

static void Main(string[] args)
{
   HttpWebRequest Request =
(HttpWebRequest)WebRequest.Create("https://server/services/webservice/server.php?wsdl");
   X509Certificate2 Cert = new X509Certificate2("/my/clientCertificate.p12",
"password");

   Request.ClientCertificates.Add(Cert);
   Request.UserAgent = "Client Cert Sample";
   Request.Method = "GET";
   HttpWebResponse Response = (HttpWebResponse)Request.GetResponse();
   // Print the repsonse headers.
   Console.WriteLine("{0}",Response.Headers);
   Console.WriteLine();
   // Get the certificate data.
   StreamReader sr = new StreamReader(Response.GetResponseStream(),
Encoding.Default);
   int count;
   char [] ReadBuf = new char[1024];
   do
   {
      count = sr.Read(ReadBuf, 0, 1024);
      if (0 != count)
      {
         Console.WriteLine(new string(ReadBuf));
      }

   }while(count > 0);
}


-- 
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the mono-bugs mailing list