[Mono-dev] SslStream implementation

Atsushi Eno atsushi at ximian.com
Thu Aug 23 08:59:04 EDT 2007 

Hi Sebastien,

Thanks for the lightning quick review :)

Sebastien Pouliot wrote:
> This is kind of strange as System.dll (v2) already depends on
> Mono.Security.dll

Well, probably we didn't have such type comparison between
references to old X509 types in System.dll via Mono.Security.dll
and references to new X509 types in System.dll on the build
until now. This kind of use of extern alias also happened
in LocalFileSettingsProvider stuff.


>> +	[MonoLimitation ("Non-X509Certificate2 certificate is not supported")]
> 
> The original X509Certificate is busted, design-wise, wrt to the private
> key.

Hmm, I may be kind of confused - continued below.

> Since it's an override over Stream.ReadTimeout can't the original (base)
> do the job ?
> 
>> +		public override int ReadTimeout {
>> +			get { return read_timeout; }
>> +			set { read_timeout = value; }

Oops, yes.

>> +			// Due to the Mono.Security internal, it cannot reuse
>> +			// the delegated argument, as Mono.Security creates 
>> +			// another instance of X509Certificate which lacks 
>> +			// private key but is filled the private key via this
>> +			// delegate.
> this could be changed, in the 2.0 profile, as the Mono.Security version
> of X509Certificate is private-key aware.

So ... do you mean, changes could be introduced in 2.0 version of 
Mono.Security? Currently the argument X509Certificate is (not the
original X509Certificate2 but) automatically populated in the
Handshake process in Mono.Security side (but probably it is by
design as you wrote above?).

> The X509Chain inside System.dll is more RFC3280 compliant than the
> (older) one provided in Mono.Security.dll and should be used.
> 
>> +				s.ServerCertValidationDelegate = delegate (X509Certificate cert, int [] certErrors) {
>> +					// FIXME: X509Chain is not provided
>> +					// FIXME: SslPolicyErrors is incomplete
>> +					SslPolicyErrors errors = certErrors.Length > 0 ? SslPolicyErrors.RemoteCertificateChainErrors : SslPolicyErrors.None;
>> +					return validation_callback (this, cert, null, errors);
>> +				};

Ah, okay. Actually I was misunderstanding that the verification is
already done inside Mono.Security and the results are in the "errors"
array, but it turned out to be "Mono.Security.X509" X509Chain ;-)

So, probably it will be duplicate verification? If there is a way
to skip it, I'd change the code.

Atsushi Eno

More information about the Mono-devel-list mailing list