[Fwd: Re: [Mono-dev] HTTPS - MS .NET Client - Linux Mono Server - Interoperability]

Sebastien Pouliot sebastien.pouliot at gmail.com
Wed Sep 28 09:20:38 EDT 2005 

Hello Yngve,

On Wed, 2005-28-09 at 14:54 +0200, Yngve Zackrisson wrote:
...
> > > > Should I add a PKCS#12 cert file to the Mono Store (Machine store) 
> > > > (mono /.../certmgr.exe -add -c -m Trust server16-cert.p12) 
> > > > or add only the CA to the trust store
> > > > (mono /.../certmgr.exe -add -c -m Trust cacert16t.cer)
> > > > or anything else to get rid of this error message?.
> > > 
> > > It must be either the user or machine Trusted store (otherwise you'll
> > > get a trust error).
> > 
> > OK. But witch certificate is preferable to add to the store?: 
> > 
> > a) mono /.../certmgr.exe -add -c -m Trust server16-cert.p12
> > 
> > or 
> > 
> > b) mono /.../certmgr.exe -add -c -m Trust cacert16t.cer

Trust is transitive, i.e. the server will be trusted if it's signer is
trusted. So only the self-signed root certificate needs to be added to
the Trust store.

> > I also have a question about the trust of the root CA certificate.
> > The cacert16t.cer above I have created with the following 
> > openssl commands:
> > 
> > ...
> > $ openssl x509 -in cacert16.pem -trustout -setalias "TrustedRootCert"
> > -out cacert16t.pem
> > 
> > $ openssl x509 -inform PEM -in cacert16t.pem -outform DER -out
> > cacert16t.cer
> > 
> > is the first openssl command necessary since the signed client 
> > and server certificates, or at least its root CA, 
> > should be added to the Windows/Mono (Trust) store?.
> > 
> > 
> > 
> > Currently I use the cacert16t.pem file as -certfile 
> > when creating the client and server PKCS#12 files - 
> > with the openssl pkcs12 command.
> > Will the cacert16.pem file be enough?

I honestly don't know (without reading the man page myself). I don't use
openssl much (for x.509 related stuff) because (a) it's formats aren't
the one natively used in .NET and (b) I try to dogfood my own tools ;-)

...

> > > Yesterday (after your previous email) I tried to use the MS runtime for
> > > client certificate without success (same failure). Somehow MS does
> > > something different* because the server can't verify the signature (and
> > > it's not a key and/or decryption problem - the hash value is different
> > > but the padding is ok).
> > > 
> > > Using IE (with the SSL2 client hello) to do the same turned out another
> > > problem, very similar to the bug #76254 reported today.
> > > 
> > > [*] The client certificate testing is done with wget/openssl
> > > (linux/cygwin) - which sadly doesn't seems enough :(
> > 
> > Please let me know if you come up with some solution.
> > 
> > I have been working with the HTTPS communication for some 2 months now, 
> > and my boss is eager to get an solution :-).

Please open a bugzilla issue on bugzilla.ximian.com (e.g. "SSL client
certificate doesn't work with IE."). That way you'll get notified as
soon as (and whenever) I change the bug status.
-- 
Sebastien Pouliot
email: sebastien at ximian.com
blog: http://pages.infinit.net/ctech/

More information about the Mono-devel-list mailing list