[Mono-dev] About System.Net.Security.SslStream

Wed Nov 12 11:29:42 EST 2008

On Wed, 2008-11-12 at 10:46 -0500, Vladimir Giszpenc wrote:
> Sebastien,
> 
> 
> > On Tue, 2008-11-11 at 15:12 +0800, ?? wrote:
> > > Hello! I'm using mono 1.9.2 and trying to write a small program
> using
> > > SslStream. The program runs as server side program.
> > >
> > > I found if I write the program as
> > >  serverCertificate =
> X509Certificate.CreateFromCertFile(certificate);
> > >  SslStream sslStream = new SslStream(
> > >                 client.GetStream()
> > >                 );
> > >  sslStream.AuthenticateAsServer(serverCertificate,
> > >                     false, SslProtocols.Tls, true);
> > >
> > > I will get a  "Server certificate Private Key unavailable" error.
> > 
> > This depends on which type of certificate file you're providing the
> > X509Certificate ctor and the framework version you're using (I assume
> > 2.9 since you're using SslStream).
> > 
> > A typical .cer does not have a private key inside it so it wont work.
> > Using a PKCS#12 file, containing a certificate and a private key, will
> > work.
> > 
> >         The main difference is not the framework but the fact that
> >         Windows CryptoAPI defines relations between certificates and
> >         keys (when persisted) and allow code to "find" a private key
> >         when you supply a certificate (even if its not loaded from a
> >         certificate store). No such facility exists under Linux.
>  
> I would like to reiterate my request for a binding to nss. 

Well you asked for NSS bindings to get FIPS140 support which is *very*
different that asking for NSS certificate support (that is not covered
by FIPS140). 

Now I admit I have (long ago) been thinking/planning how cryptographic
bindings could be added to Mono (e.g. Crimson) but this *never* extended
to X509 support (since that part of the FX is not much extensible, nor
replaceable).

>  I Believe
> that such a binding would provide the capability sought here.

Nice try ;-) but it would not help since the real problem is in the MS
API design (which depends on CryptoAPI behavior). 

Adding a binding to NSS would only provide another, different, API that
"can" do something better - just like we already provide another API
(inside Mono.Security) that does the job "like people would expect".
I.e. the capability already exists, the MS API just makes it hard (but
not impossible) to "fit it in".

> I realize demand is not high, I just want "every vote counted" :).

IMO if you want your vote to count then you should open a bug report*
(severity Enhancement) otherwise it will just stay "noise" on the
mailing-list. 

Sebastien

* but be careful what you wish for! because extending your original
request to get "more votes" only makes the project scope larger and less
likely that anyone will be interested in its (full) implementation
(imagine if some cool hacker only implemented NSS bindings for X.509
certificates ;-)