[Fwd: Re: [Mono-dev] HTTPS - MS .NET Client - Linux Mono Server - Interoperability]

Wed Sep 28 10:54:14 EDT 2005

On Wed, 2005-09-28 at 15:20, Sebastien Pouliot wrote:
> Hello Yngve,
> 
> On Wed, 2005-28-09 at 14:54 +0200, Yngve Zackrisson wrote:
> ...
> > > > > Should I add a PKCS#12 cert file to the Mono Store (Machine store) 
> > > > > (mono /.../certmgr.exe -add -c -m Trust server16-cert.p12) 
> > > > > or add only the CA to the trust store
> > > > > (mono /.../certmgr.exe -add -c -m Trust cacert16t.cer)
> > > > > or anything else to get rid of this error message?.
> > > > 
> > > > It must be either the user or machine Trusted store (otherwise you'll
> > > > get a trust error).
> > > 
> > > OK. But witch certificate is preferable to add to the store?: 
> > > 
> > > a) mono /.../certmgr.exe -add -c -m Trust server16-cert.p12
> > > 
> > > or 
> > > 
> > > b) mono /.../certmgr.exe -add -c -m Trust cacert16t.cer
> 
> Trust is transitive, i.e. the server will be trusted if it's signer is
> trusted. So only the self-signed root certificate needs to be added to
> the Trust store.

I interpret this as b) above is enough.

What I was wondering with this question was whether a) would solve 
the error #-2146762486 (CERT_E_CHAINING problem) on the server.

> 
> > > I also have a question about the trust of the root CA certificate.
> > > The cacert16t.cer above I have created with the following 
> > > openssl commands:
> > > 
> > > ...
> > > $ openssl x509 -in cacert16.pem -trustout -setalias "TrustedRootCert"
> > > -out cacert16t.pem
> > > 
> > > $ openssl x509 -inform PEM -in cacert16t.pem -outform DER -out
> > > cacert16t.cer
> > > 
> > > is the first openssl command necessary since the signed client 
> > > and server certificates, or at least its root CA, 
> > > should be added to the Windows/Mono (Trust) store?.
> > > 
> > > 
> > > 
> > > Currently I use the cacert16t.pem file as -certfile 
> > > when creating the client and server PKCS#12 files - 
> > > with the openssl pkcs12 command.
> > > Will the cacert16.pem file be enough?
> 
> I honestly don't know (without reading the man page myself). I don't use
> openssl much (for x.509 related stuff) because (a) it's formats aren't
> the one natively used in .NET and (b) I try to dogfood my own tools ;-)
> 
> ...
> 
> > > > Yesterday (after your previous email) I tried to use the MS runtime for
> > > > client certificate without success (same failure). Somehow MS does
> > > > something different* because the server can't verify the signature (and
> > > > it's not a key and/or decryption problem - the hash value is different
> > > > but the padding is ok).
> > > > 
> > > > Using IE (with the SSL2 client hello) to do the same turned out another
> > > > problem, very similar to the bug #76254 reported today.
> > > > 
> > > > [*] The client certificate testing is done with wget/openssl
> > > > (linux/cygwin) - which sadly doesn't seems enough :(
> > > 
> > > Please let me know if you come up with some solution.
> > > 
> > > I have been working with the HTTPS communication for some 2 months now, 
> > > and my boss is eager to get an solution :-).
> 
> Please open a bugzilla issue on bugzilla.ximian.com (e.g. "SSL client
> certificate doesn't work with IE."). That way you'll get notified as
> soon as (and whenever) I change the bug status.

I interpret this as I shall create a new bug in bugzilla for this 
with a short summary of "SSL client certificate doesn't work with IE.".
I will do that, after installing the CA root cert (cacert16t.cer) 
into the Mono's machines Trust store, and run a new test case 
for the bug report.

Regards 

Yngve Zackrisson.