[Mono-dev] Status of SslStream and Related Classes

Martin Hinks mhinks at gmail.com
Thu Aug 18 14:21:06 EDT 2005


Ok, thanks for the answer - I may well have a look at adding some of
the ciphers when I get time...

I know that it is not a requirement to support all ciphers, but many
servers that I am using also do not support all the ciphers - they
seem to support all the ones Mono doesn't currently support - great
lol!

The error produced is could not negotiate a cipher or something
similar - which was "fixed" by adding a DH cipher to the list of
support ciphers (when I say fixed I mean it got a stage further - so
the exception was just unsupported ciphers.)

When I said "problem" I meant the lack of support for, hence, is the
lack of support due to DH in Mono not being implemented or merely that
the SSLStream hasn't been tweaked to support DH?

Thanks again, it's a great class as it is - would be great if I could
help add some ciphers!

Martin

On 8/18/05, Sebastien Pouliot <sebastien.pouliot at gmail.com> wrote:
> Hello Martin,
> 
> On Thu, 2005-18-08 at 09:57 +0100, Martin Hinks wrote:
> > I also have a quick q about the SSLStream that I thought would fit
> > under this topic ;P
> >
> > Is the problem with unsupported ciphers due to bugs/incompleteness of
> > their components - ie. ciphers using DH - are they missing because DH
> > is missing etc.
> 
> Quick answer:
> 
> * This is not a "problem", it's just a ((very) optional) task no one
> else has done (probably because no one need it badly enough to code/test
> it).
> 
> 
> Long answer:
> 
> * An SSL/TLS implementation doesn't have to support all possible
> ciphers. This is why SSL/TLS include a negotiation step;
> 
> * The design of SslStream (just like the earlier SslClientStream and
> SslServerStream) doesn't include an API to select which algorithms to
> use (or not use). So the user is out of the loop for selecting the
> cipher (i.e. it will be negotiated between the client and server);
> 
> * Adding ciphers to SSL is much easier than testing them (and the API
> doesn't make it easier);
> 
> * People don't like when something supported doesn't work, so Mono will
> add new ciphers to SSL only if we're sure they are working properly ;-)
> 
> * Mono.Security.dll supports DH (i.e. DH is present and working) so it
> isn't a cryptographic issue;
> 
> * DH wasn't really helpful for HTTPS (my main interest), nor for data
> access (Carlos) so we didn't implement support for it;
> 
> So it's not a problem (at least for most people). Adding DH support
> shouldn't be a very complex task for anyone interested (but testing may
> be a little more painful).
> --
> Sebastien
> 
> 


-- 
Martin Hinks
http://www.m-s-d.net



More information about the Mono-devel-list mailing list