[Mono-dev] Remothing through HTTPS
Yngve Zackrisson
yngve.zackrisson at mobila-kontoret.se
Thu Sep 15 06:27:25 EDT 2005
Hi
I am still struggling with remoting and HTTPS:-).
After studying more I have a couple of questions:
A) Server certificate (for Linux / Mono):
On #75751 I questioned:
1) Is it posible to create the certificates with openssl in Linux
and use them in .NET (Linux and Mono on the server side
and Win32 and Microsoft .NET on the client side)?.
Is there any 'HOWTODO-resouces' on this?.
and I got the answer:
(1) you best bet is to create the certificate (using OpenSSL) in the
PKCS#12 format. This should make it easy to import on Windows and Mono
can deal with this format.
Current question:
On Mono I have problem with getting the private key.
I am doing a test server application to check the https communication
(using a "Poupou's blog example and the XSP Web server as a base).
I have succeeded creating the .p12 format.
I also have the cert in DER (.cer) format and in .pem format.
I also have the key in .pem format.
On Mono I have problem with extraction of the private key from these files.
AFAIK, one can get the key from the .pvk format through the
PrivateKey.CreateFromFile method.
But how can I get the key in the .pvk format ?.
Is there any other way to get the key?.
B) Server certificate to the Mono / Linux store:
Just checking if I got things right:
I user the command:
$ mono /usr/lib/mono/certmgr.exe -add -c -m CA cacert.cer
$ mono /usr/lib/mono/certmgr.exe -add -c -m Trust server-certkey.cer
to load the CA cert (cacert.cer with in DER format) and
to load the server cert
(server certificate request are first signed and
then the server-cert.pem and server-key.pem are concatenated
with the cat command to server-certkey.pem
witch is then converted to server-certkey.cer in DER format).
The CN should be the same as hostname.
Do you find any error in the above procedure?
Does the Mono SSL handle incomming httprequests automatically
or do I have to handle (for instance) the authentication in
the custom channel? (If so, any code to look at? XSP?).
C) Client side certificate handling in Win32.
I use "HttpWebRequest.ClientCertificates.Add(x509Certificate)"
to set the client certificate.
Below you wrote:
> Using client certificates in this (remoting) setup may prove a little
> more challenging as Fx1.x X509Certificate class has no notion of a
> private key associated with the certificate. This may be fixed by doing
> a custom remoting channel that use Mono.Security.dll (where you'll have
> a callback to supply the private key for your client certificate).
>
Since I am no expert in this area (just have to try to be one
due to the current lack of SSL security .NET Remoting)
I just wonder if anyone can direct me to what to do.
I have read (implemented) the MS articles about custom channels
and MS authentication, so I pretty much understand custom channels.
I ques that it is only the authentication I have to try to
implement in the custom channel?
Are there any open source code (.NET Mono C#) - about
client side certificate authentication - I can download and read?.
Regards
Yngve Zackrisson
On Wed, 2005-09-07 at 13:39, Sebastien Pouliot wrote:
> Hello Yngve,
>
> On Wed, 2005-07-09 at 11:15 +0200, Yngve Zackrisson wrote:
> > Hi all.
> >
> > I am doing an remoting application
> > and have a Win32 Client with MS .NET v1.1
> > and a Linux (Fedora Core 3 x86) Server with Mono 1.1.8.3.
> >
> > The different clients will call the remote objects methods
> > on the server.
> > Among other things the clients will upload a file to the server.
> > I (now) only uses "normal" calls to upload a file -
> > no "callbacks" any more.
> > The server will be located at our place.
> > The clients will be users of "services", running on our server.
> > The remote objects is currently hosted by an Console application,
> > but is planned to be hosted by a Windows service (on Linux / Mono :-)).
> > I have gotten this working with HTTP.
> >
> > I now will try to do this with HTTPS (on port 443),
> > to get a secure tunnel between the client and the server.
> >
> > We would like to use SSL with both encryption and authentication,
> > through x509 certificates.
> > The certificates should (preferable) be self signed.
> >
> > >From my testings and readings I have found that:
> > 1) My Win32 client uses Tls.
> > 2) The Win32 client certificates should be:
> > a) Set in the ClientCertificates property of the HttpWebRequest.
> > b) The client certificate must be installed in
> > the LOCAL_MACHINE registry hive.
> > (Se: KB895971 at http://support.microsoft.com/?kbid=895971).
> > 3) .NET prefer the DER format (called .cer)
> > but may also use the .p12 format.
> > 4) From the Microsoft .NET documentation,
> > I have found support only for certificate authentication
> > through ASP.NET/IIS-hosting - In MS .NET v1.1.
> > 5) There is some support for SSL in Mono,
> > and I have succeeded to install certificates in Mono through certmgr
> > (but I may have done it wrong. No real test yet).
>
>
> > What I wonder is weather this approach gonna work with .NET Remoting
> > and with different Win32 MS .NET clients calling a Linux Mono server?.
>
> Using client certificates in this (remoting) setup may prove a little
> more challenging as Fx1.x X509Certificate class has no notion of a
> private key associated with the certificate. This may be fixed by doing
> a custom remoting channel that use Mono.Security.dll (where you'll have
> a callback to supply the private key for your client certificate).
>
> > Do I have to customize any part of the SSL handshake?.
>
> No. SSL/TLS is a negotiating protocol. You supply the certificates and
> the rest gets done (well pretty much).
>
> More details on SSL are available in the FAQ
> http://www.mono-project.com/FAQ:_Security
>
> > On the remote objects methods, I would like to have
> > access checks on the users .NET Roles.
> > Is it possible to impersonate the principal and add .NET Roles
> > to that principal when the remote objects is hosted in
> > a Console application or a Windows service (in Linux / Mono)?.
>
> You can't impersonate (in the win32 way) if your communication channel
> doesn't support it (e.g. SSPI) - so this works only for _some_ win32
> stuff.
>
> You can always "mimic" the impersonation by transferring the identity in
> a custom remoting channel (and setting the IPrincipal of the remote
> object yourself). There are a lot of example for doing this on the net.
> Alternatively you can create a new IPrincipal instance based on the
> client certificate used by client client.
>
> Lastly when using roles be sure to use imperative demands (e.g.
> IPrincipal.IsInRole) and not declarative security attributes
> (PrincipalPermission) unless you activate the security manager
> (--security).
> http://www.mono-project.com/CAS
>
> > Further, I am not really sure about how to set up the certificates
> > on the Mono server for SSL.
>
> See the FAQ and/or do a "man certmgr" in a terminal.
>
> > I assume the the certificates should be placed in the machine store.
>
> That depends on what will be using the certificate.
>
> > I have the certificates in DER (.cer) format.
> > Should the CA certificate be placed in the CA store
> > or in the Trust store?. Any more to think about?.
>
> Self-signed certificates goes to the trusted store.
> The CA store is for intermediate CA certificates.
>
> > I assume that the server certificate should be placed
> > in the Trust store (of the machine store).
> > I hope this is right.
>
> The machine store is handy if you don't know under which identity (user)
> your program is gonna be executed (or if it may be executed by multiple
> users on the same system). Otherwise keep your stuff in the user store.
More information about the Mono-devel-list
mailing list