[Mono-dev] Open source .Net, and TLS 1.1 & 1.2
Greg Young
gregoryyoung1 at gmail.com
Tue Dec 9 23:01:57 UTC 2014
I believe there already is one. If you look back to the (awful) mono
pull requests thread I believe it was mention specifically as an
example.
On Tue, Dec 9, 2014 at 11:09 PM, Miguel de Icaza <miguel at xamarin.com> wrote:
> Hello,
>
> We would love a test case to add to the test suite.
>
> We are building a new test suite as part of this work anyways.
>
> MIguel
>
> On Tue, Dec 9, 2014 at 3:21 PM, Edward Ned Harvey (mono)
> <edward.harvey.mono at clevertrove.com> wrote:
>>
>> > From: Miguel de Icaza [mailto:miguel at xamarin.com]
>> >
>> > .NET's implementation of the TLS stack is built on top of native code,
>> > so it
>> > wont work on Mono.
>> >
>> > We have implemented TLS 1.1 and 1.2 on top of the not yet open sourced
>> > networking stack and will be publishing it as soon as Microsoft open
>> > sources
>> > the .NET networking stack.
>>
>> Great news, thank you! A follow-up question:
>>
>> In the current released version of mono SslStream, if the server uses a
>> cert that is signed by an intermediate chain, *and* a mono SslStream client
>> connects, then the client rejects the cert. The root cause is because the
>> server does not send the intermediate chain to the client, and the client
>> fails to construct the chain. The behavior is specifically a mono-mono
>> incompatibility - If either the server or the client is .Net, then the
>> problem does not occur, because a windows server sends the chain to the
>> client, and a windows client performs guerilla tactics to construct an
>> incomplete chain.
>>
>> So the question is, how could it be possible to add a test for this
>> behavior, presuming it will some day get fixed and then we don't want it to
>> happen again?
>>
>> I can easily enough write example code to demonstrate the problem. But
>> then there's a question about what cert to use for demonstration purposes -
>> it's probably best to create a junk CA with intermediate cert, and some junk
>> server cert. I could easily enough publish those certs somewhere and/or
>> hard-code them into the demonstration code, with something like 30 year
>> validity.
>
>
>
> _______________________________________________
> Mono-devel-list mailing list
> Mono-devel-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-devel-list
>
--
Studying for the Turing test
More information about the Mono-devel-list
mailing list