[Mono-dev] Mutual authentication with HttpWebRequest?

Sebastien Pouliot sebastien.pouliot at gmail.com
Wed Nov 9 07:48:25 EST 2005


Hello Jay,

On Tue, 2005-11-08 at 09:43 -0700, Jay Miller wrote:
> I'm in the process of making an authenticating SSL client in Mono and
> I was hoping someone could confirm that mutual authentication doesn't
> currently work via HttpWebRequest/Response (since Mono doesn't search
> the My store for a private key like Windows)

For general information, Windows CryptoAPI, not the FX, looks for an
"associated" key (it's not a wild search into all the keys available in
the My store). This results in a strange model (in fx 1.x) where you
must have the certificate (without any managed access to the stores) and
can't get/set the private key (again with managed code) without access
to the store. Definitively not a portable API :(

Mono tools doesn't make such association (between certificates and
stores).

> , but instead requires that
> I create an SslClientStream directly (and set the various callbacks).
> 
> If this is the case, is it true that the ClientCertificates property of
> HttpWebRequest is just a dummy parameter for now?  

Almost. It goes down to the SslClientStream ctor but there is no
callback possible (in HttpWebRequest) to associate it with a private key
(so it ends up useless).

> Also, are there any
> plans to extend Mono to behave more like the MS stuff? (Not being able to
> use HttpWebRequest/Response is kind of a drag!)

This will (almost) fix itself once the 2.0 profile is completed for
X.509 certificates classes. The new X509Certificate class (and the
X509Certificate2 class) have the "knowledge" that a private key may be
associated with the certificate (e.g. when loading a pkcs#12 file).

This means it will be possible, using the current API and with very
minor changes, to supply an X509Certificate instance (including a
private key) to HttpWebRequest.ClientCertificates so no callback is
required.

> Thank you in advance for any corrections or confirmations!
> 
-- 
Sebastien Pouliot
email: sebastien at ximian.com
blog: http://pages.infinit.net/ctech/




More information about the Mono-devel-list mailing list