[Mono-dev] HTTPS - MS .NET Client - Linux Mono Server - Interoperability

Sebastien Pouliot sebastien.pouliot at gmail.com
Mon Sep 26 12:10:32 EDT 2005 

Hello Yngve,

On Mon, 2005-26-09 at 16:26 +0200, Yngve Zackrisson wrote:
> Hi.
> 
> I (like Martin Hinks) have problems with the interoperability 

Martin wasn't talking about HTTPS/SSL/TLS in it's latest email (unless I
missed one). The subject was about password based key derivation.

> between a MS .NET HTTPS client and a Linux (Fedora Core 3) Mono server.
> What I like to do is a HTTPS call from my MS .NET client to 
> the Linux Mono server.
> 
> 
> TEST1: mutual
> -------------
> 
> My first test is based on the Mono mutual authentication example:
> 
> http://svn.myrealbox.com/source/trunk/mcs/class/Mono.Security/Test/tools/mutual/
> 
> The difference is that I create the certificates with openSSL 
> and run the client on Win32 and MS .NET.
> 
> On my client I run: 
> 
> $ mutual.exe me292 TLS client16-cert.p12 xxxxxx
> 
> (where me292 is my server DNS and xxxxxx is the p12 password)
> 
> I then get: 
> 
> ...
> CertificateValidation
> CERTIFICATE: 
>     ....
> 
>     Error(s)
>         #-2146762487 
> 
> Meaning untrusted root, for my server certificate.
> I have created a trusted CA cert using openssl x509 with the -trustout
> option. What is the problem?. Must I have the .p12 in the Windows store?

If you're using Mono.Security (like the mutual test program) then you
must install the root certificate into the *Mono* certificate store
(even if you're executing the sample with the MS runtime).

You can also use MS' HttpWebRequest for mutual authentication. In this
case (MS runtime + MS HttpWebRequest) you'll need to install the root
certificate into the *Windows* certificate store.

> After the printout of:
> ...
> PrivateKeySelection 
>     ...
> 
>     PrivateKeySelection(1) 
> 
> no more happens on the client side.

That test program wasn't made to output anything useful. It only sends
an "Hello" string to the server. Keep in mind that 'mutual', like
others, is a *test* tool and not sample code.

> On the server side I run:
> 
> $ openssl s_server -www -cert server16-cert.pem -key server16-key.pem
> -verify client16-cert.pem -CAfile cacert16t.pem
> 
> and get: 
> 
> verify depth is 0
> Using default temp DH parameters
> Using default temp ECDH parameters
> ACCEPT
> bad gethostbyaddr
> depth=1 /C=SE/L=Stockholm/O=Test Company AB/OU=IT Department -
> CA/CN=me292
> validity return:1
> depth=0 /C=SE/L=Sundsvall/O=Customer Company 16 AB/CN=Mirsad
> validity return:1
> 
> 
> AFAIK, A "Hello" should be written on the server.

An "Hello" is sent to the server (so the handshake starts) but it
doesn't mean the server will output it on the console.

> 
> TEST2: server
> -------------
> 
> I have also made test with the Mono server example.
> 
> http://svn.myrealbox.com/source/trunk/mcs/class/Mono.Security/Test/tools/server/
> 
> Here I have had problems generating the private key of type .pvk.
> In openssl there is an new option: 
> 
> openssl rsa -in server16-key.pem -pvk-strong -out
> server16-key.strong.pvk
>   "				 -pvk-weak    "	
>   "				 -pvk-none    "
> 
> And I have tried all of them, But none have helped.

I never used OpenSSL to generate PVK files. Either use makecert to
generate your certificates or look at my blog to use the PKCS#12 version
of the server test tool.

> On the Mono server I run: 
> 
> $ mono --debug --verbose MonoSslHttpServer.exe 
>  
> I get a : 
> 
> System.Security.Cryptography.CryptographicException 
> 
> on the Mono server side in : 
> 
> (Mono.Security.Protocol.Tls.Handshake.HandshakeMessage:.ctor (...)
> Mono.Security.Protocol.Tls.Handshake.Server.TlsClientCertificate.ProcessAsTls1 () 
> 
> Can this exception occure due to that the created pvk-file format 
> is not compatible with the makecert equalent?

Maybe. PVK is a (bad) Microsoft format (mostly) used for Authenticode.
The only interop testing has been done wrt to MS version of makecert. 

I strongly suggest you not to use PVK in real-life applications (weak
encryption).

> Or can this be a result of some other thing?.
> 
> 
> On the client side I now run on Linux the command: 
> 
> $ openssl s_client -connect 192.168.0.246:4433 -key
> private/client16u-key.pem -cert client16u-cert.pem -CAfile cacert16t.pem
> -state -msg
> 
> An I get the result (only the last part extracted): 
> 
> ...
> SSL_connect:SSLv3 write client key exchange A
> >>> TLS 1.0 Handshake [length 0046], CertificateVerify
>     0f 00 00 42 00 40 3c de b4 0f 64 47 38 d3 ce e5
>     f8 24 58 de 2c b1 25 23 4d 9a dd b8 e1 56 de 33
>     20 6f c7 86 c6 a0 08 b9 a4 47 45 62 99 47 d0 2a
>     36 b2 76 1e 54 30 20 09 e6 6e 36 96 4c 2d b9 a5
>     2a 80 20 a5 87 3d
> SSL_connect:SSLv3 write certificate verify A
> >>> TLS 1.0 ChangeCipherSpec [length 0001]
>     01
> SSL_connect:SSLv3 write change cipher spec A
> >>> TLS 1.0 Handshake [length 0010], Finished
>     14 00 00 0c 18 1c 7c a3 bf 98 d8 71 fb a3 cf 25
> SSL_connect:SSLv3 write finished A
> SSL_connect:SSLv3 flush data
> <<< TLS 1.0 Alert [length 0002], warning internal_error
>     01 50
> SSL3 alert read:warning:internal error
> SSL_connect:error in SSLv3 read finished A
> SSL_connect:error in SSLv3 read finished A
> write:errno=104
> 
> 
> Anyone that can help?

It would be easier if you explain exactly what you want to achieve. Also
don't expect the test tools to be usable for anything else but testing
Mono's SSL implementation.

> May my problems be because i use openssl?

It's likely for the PVK-related problems.

> Anyone that have done a working HTTPS call from a MS .NET client 
> to a Linux Mono server before?.

a *big* lot ;-)
but far fewer have used client certificates

> FYI, On the client i run Microsoft Windows 2000, SP4 
> (emulated with WMware workstation).

-- 
Sebastien Pouliot
email: sebastien at ximian.com
blog: http://pages.infinit.net/ctech/

More information about the Mono-devel-list mailing list