[Mono-dev] Remothing through HTTPS

Sebastien Pouliot sebastien.pouliot at gmail.com
Thu Sep 15 07:52:24 EDT 2005


Hello Yngve,

On Thu, 2005-15-09 at 12:27 +0200, Yngve Zackrisson wrote:
> Hi
> 
> I am still struggling with remoting and HTTPS:-).
> After studying more I have a couple of questions:
> 
> A) Server certificate (for Linux / Mono): 
> 
>    On #75751 I questioned: 
> 
>    1) Is it posible to create the certificates with openssl in Linux 
>       and use them in .NET (Linux and Mono on the server side 
>       and Win32 and Microsoft .NET on the client side)?.
>       Is there any 'HOWTODO-resouces' on this?.
> 
>    and I got the answer:
> 
>    (1) you best bet is to create the certificate (using OpenSSL) in the
>    PKCS#12 format. This should make it easy to import on Windows and Mono
>    can deal with this format.
> 
>    Current question:
> 
>    On Mono I have problem with getting the private key.
> 
>    I am doing a test server application to check the https communication 
>    (using a "Poupou's blog example and the XSP Web server as a base).
>    I have succeeded creating the .p12 format.
>    I also have the cert in DER (.cer) format and in .pem format.
>    I also have the key in .pem format.
>    On Mono I have problem with extraction of the private key from these files.
>    AFAIK, one can get the key from the .pvk format through the 
>    PrivateKey.CreateFromFile method.

Yes but that's not the only - and definitively not the way if you're
using PKCS#12. 

>    But how can I get the key in the .pvk format ?.

The whole point of using PKCS#12 is to avoid the less-secure PVK format.

>    Is there any other way to get the key?.

You can get a list of the private keys (there can be more than one)
available in the PKCS#12 file by using the Keys property.

> B) Server certificate to the Mono / Linux store: 
> 
>    Just checking if I got things right:
> 
>    I user the command: 
> 
>    $ mono /usr/lib/mono/certmgr.exe -add -c -m CA cacert.cer 
> 
>    $ mono /usr/lib/mono/certmgr.exe -add -c -m Trust server-certkey.cer 

You should have a certmgr script (that calls mono on the installed
certmgr.exe) that would be simpler to type.

>    to load the CA cert (cacert.cer with in DER format) and 
>    to load the server cert 
>    (server certificate request are first signed and 
>    then the server-cert.pem and server-key.pem are concatenated 
>    with the cat command to server-certkey.pem 
>    witch is then converted to server-certkey.cer in DER format).

???
server-cert.pem should contain your server certificate.
DON'T CONCATENATE your private key with it. The certificate store isn't
designed to keep private keys safe.

>    The CN should be the same as hostname.

yes

>    Do you find any error in the above procedure?

No. The Trust is done on a self-signed (root) certificate - which is
generally a CA certificate (non self signed certificates goes into the
CA store).

_Assuming_ that your CA certificate is self-signed then all you have to
do is:

certmgr -add -c -m cacert.cer

The server certificate doesn't have to be in the store as you supply it
to the server.

>    Does the Mono SSL handle incomming httprequests automatically 
>    or do I have to handle (for instance) the authentication in 
>    the custom channel? (If so, any code to look at? XSP?).

Mono's SSL doesn't (directly) understand HTTP - it sits lower in the
network stack.

Recent XSP versions are SSL enabled.


> C) Client side certificate handling in Win32.
> 
>    I use "HttpWebRequest.ClientCertificates.Add(x509Certificate)" 
>    to set the client certificate.
> 
>    Below you wrote: 
> 
> > Using client certificates in this (remoting) setup may prove a little
> > more challenging as Fx1.x X509Certificate class has no notion of a
> > private key associated with the certificate. This may be fixed by doing
> > a custom remoting channel that use Mono.Security.dll (where you'll have
> > a callback to supply the private key for your client certificate).
> > 
>    
>    Since I am no expert in this area (just have to try to be one 
>    due to the current lack of SSL security .NET Remoting) 
>    I just wonder if anyone can direct me to what to do.
>    I have read (implemented) the MS articles about custom channels 
>    and MS authentication, so I pretty much understand custom channels. 
>    I ques that it is only the authentication I have to try to 
>    implement in the custom channel?

and I'm no expert in remoting ;-) but I would try setting up a "classic"
SSL channel first - then worry about about client certificates. At least
at this stage you'll have some code to show to get more help.

>    Are there any open source code (.NET Mono C#) - about 
>    client side certificate authentication - I can download and read?.

The XSP version released with 1.1.9 supports client-side certificates.

> 
> 
> 
> Regards 
> 
> 
> 
> Yngve Zackrisson
> 
> 
> 
> On Wed, 2005-09-07 at 13:39, Sebastien Pouliot wrote:
> > Hello Yngve,
> > 
> > On Wed, 2005-07-09 at 11:15 +0200, Yngve Zackrisson wrote:
> > > Hi all.
> > > 
> > > I am doing an remoting application 
> > > and have a Win32 Client with MS .NET v1.1
> > > and a Linux (Fedora Core 3 x86) Server with Mono 1.1.8.3.
> > > 
> > > The different clients will call the remote objects methods 
> > > on the server. 
> > > Among other things the clients will upload a file to the server. 
> > > I (now) only uses "normal" calls to upload a file - 
> > > no "callbacks" any more.
> > > The server will be located at our place.
> > > The clients will be users of "services", running on our server.
> > > The remote objects is currently hosted by an Console application, 
> > > but is planned to be hosted by a Windows service (on Linux / Mono :-)).
> > > I have gotten this working with HTTP.
> > > 
> > > I now will try to do this with HTTPS (on port 443), 
> > > to get a secure tunnel between the client and the server.
> > > 
> > > We would like to use SSL with both encryption and authentication, 
> > > through x509 certificates.
> > > The certificates should (preferable) be self signed.
> > > 
> > > >From my testings and readings I have found that: 
> > > 1) My Win32 client uses Tls.
> > > 2) The Win32 client certificates should be:
> > >    a) Set in the ClientCertificates property of the HttpWebRequest.
> > >    b) The client certificate must be installed in 
> > >       the LOCAL_MACHINE registry hive.
> > >    (Se: KB895971 at http://support.microsoft.com/?kbid=895971).
> > > 3) .NET prefer the DER format (called .cer) 
> > >    but may also use the .p12 format.
> > > 4) From the Microsoft .NET documentation, 
> > >    I have found support only for certificate authentication 
> > >    through ASP.NET/IIS-hosting - In MS .NET v1.1.
> > > 5) There is some support for SSL in Mono, 
> > >    and I have succeeded to install certificates in Mono through certmgr 
> > >    (but I may have done it wrong. No real test yet).
> > 
> > 
> > > What I wonder is weather this approach gonna work with .NET Remoting 
> > > and with different Win32 MS .NET clients calling a Linux Mono server?.
> > 
> > Using client certificates in this (remoting) setup may prove a little
> > more challenging as Fx1.x X509Certificate class has no notion of a
> > private key associated with the certificate. This may be fixed by doing
> > a custom remoting channel that use Mono.Security.dll (where you'll have
> > a callback to supply the private key for your client certificate).
> > 
> > > Do I have to customize any part of the SSL handshake?.
> > 
> > No. SSL/TLS is a negotiating protocol. You supply the certificates and
> > the rest gets done (well pretty much).
> > 
> > More details on SSL are available in the FAQ
> > http://www.mono-project.com/FAQ:_Security
> > 
> > > On the remote objects methods, I would like to have 
> > > access checks on the users .NET Roles.
> > > Is it possible to impersonate the principal and add .NET Roles 
> > > to that principal when the remote objects is hosted in 
> > > a Console application or a Windows service (in Linux / Mono)?.
> > 
> > You can't impersonate (in the win32 way) if your communication channel
> > doesn't support it (e.g. SSPI) - so this works only for _some_ win32
> > stuff.
> > 
> > You can always "mimic" the impersonation by transferring the identity in
> > a custom remoting channel (and setting the IPrincipal of the remote
> > object yourself). There are a lot of example for doing this on the net.
> > Alternatively you can create a new IPrincipal instance based on the
> > client certificate used by client client.
> > 
> > Lastly when using roles be sure to use imperative demands (e.g.
> > IPrincipal.IsInRole) and not declarative security attributes
> > (PrincipalPermission) unless you activate the security manager
> > (--security).
> > http://www.mono-project.com/CAS
> > 
> > > Further, I am not really sure about how to set up the certificates 
> > > on the Mono server for SSL.
> > 
> > See the FAQ and/or do a "man certmgr" in a terminal.
> > 
> > > I assume the the certificates should be placed in the machine store.
> > 
> > That depends on what will be using the certificate.
> > 
> > > I have the certificates in DER (.cer) format.
> > > Should the CA certificate be placed in the CA store 
> > > or in the Trust store?. Any more to think about?.
> > 
> > Self-signed certificates goes to the trusted store.
> > The CA store is for intermediate CA certificates.
> > 
> > > I assume that the server certificate should be placed 
> > > in the Trust store (of the machine store).
> > > I hope this is right.
> > 
> > The machine store is handy if you don't know under which identity (user)
> > your program is gonna be executed (or if it may be executed by multiple
> > users on the same system). Otherwise keep your stuff in the user store.
> 




More information about the Mono-devel-list mailing list