[Mono-dev] Remothing through HTTPS

Sebastien Pouliot sebastien.pouliot at gmail.com
Wed Sep 7 07:39:38 EDT 2005


Hello Yngve,

On Wed, 2005-07-09 at 11:15 +0200, Yngve Zackrisson wrote:
> Hi all.
> 
> I am doing an remoting application 
> and have a Win32 Client with MS .NET v1.1
> and a Linux (Fedora Core 3 x86) Server with Mono 1.1.8.3.
> 
> The different clients will call the remote objects methods 
> on the server. 
> Among other things the clients will upload a file to the server. 
> I (now) only uses "normal" calls to upload a file - 
> no "callbacks" any more.
> The server will be located at our place.
> The clients will be users of "services", running on our server.
> The remote objects is currently hosted by an Console application, 
> but is planned to be hosted by a Windows service (on Linux / Mono :-)).
> I have gotten this working with HTTP.
> 
> I now will try to do this with HTTPS (on port 443), 
> to get a secure tunnel between the client and the server.
> 
> We would like to use SSL with both encryption and authentication, 
> through x509 certificates.
> The certificates should (preferable) be self signed.
> 
> >From my testings and readings I have found that: 
> 1) My Win32 client uses Tls.
> 2) The Win32 client certificates should be:
>    a) Set in the ClientCertificates property of the HttpWebRequest.
>    b) The client certificate must be installed in 
>       the LOCAL_MACHINE registry hive.
>    (Se: KB895971 at http://support.microsoft.com/?kbid=895971).
> 3) .NET prefer the DER format (called .cer) 
>    but may also use the .p12 format.
> 4) From the Microsoft .NET documentation, 
>    I have found support only for certificate authentication 
>    through ASP.NET/IIS-hosting - In MS .NET v1.1.
> 5) There is some support for SSL in Mono, 
>    and I have succeeded to install certificates in Mono through certmgr 
>    (but I may have done it wrong. No real test yet).


> What I wonder is weather this approach gonna work with .NET Remoting 
> and with different Win32 MS .NET clients calling a Linux Mono server?.

Using client certificates in this (remoting) setup may prove a little
more challenging as Fx1.x X509Certificate class has no notion of a
private key associated with the certificate. This may be fixed by doing
a custom remoting channel that use Mono.Security.dll (where you'll have
a callback to supply the private key for your client certificate).

> Do I have to customize any part of the SSL handshake?.

No. SSL/TLS is a negotiating protocol. You supply the certificates and
the rest gets done (well pretty much).

More details on SSL are available in the FAQ
http://www.mono-project.com/FAQ:_Security

> On the remote objects methods, I would like to have 
> access checks on the users .NET Roles.
> Is it possible to impersonate the principal and add .NET Roles 
> to that principal when the remote objects is hosted in 
> a Console application or a Windows service (in Linux / Mono)?.

You can't impersonate (in the win32 way) if your communication channel
doesn't support it (e.g. SSPI) - so this works only for _some_ win32
stuff.

You can always "mimic" the impersonation by transferring the identity in
a custom remoting channel (and setting the IPrincipal of the remote
object yourself). There are a lot of example for doing this on the net.
Alternatively you can create a new IPrincipal instance based on the
client certificate used by client client.

Lastly when using roles be sure to use imperative demands (e.g.
IPrincipal.IsInRole) and not declarative security attributes
(PrincipalPermission) unless you activate the security manager
(--security).
http://www.mono-project.com/CAS

> Further, I am not really sure about how to set up the certificates 
> on the Mono server for SSL.

See the FAQ and/or do a "man certmgr" in a terminal.

> I assume the the certificates should be placed in the machine store.

That depends on what will be using the certificate.

> I have the certificates in DER (.cer) format.
> Should the CA certificate be placed in the CA store 
> or in the Trust store?. Any more to think about?.

Self-signed certificates goes to the trusted store.
The CA store is for intermediate CA certificates.

> I assume that the server certificate should be placed 
> in the Trust store (of the machine store).
> I hope this is right.

The machine store is handy if you don't know under which identity (user)
your program is gonna be executed (or if it may be executed by multiple
users on the same system). Otherwise keep your stuff in the user store.

-- 
Sebastien Pouliot
email: sebastien at ximian.com
blog: http://pages.infinit.net/ctech/




More information about the Mono-devel-list mailing list