[Mono-dev] Open source .Net, and TLS 1.1 & 1.2
Edward Ned Harvey (mono)
edward.harvey.mono at clevertrove.com
Tue Dec 16 19:40:56 UTC 2014
> From: mono-devel-list-bounces at lists.ximian.com [mailto:mono-devel-list-
> bounces at lists.ximian.com] On Behalf Of Edward Ned Harvey (mono)
> > From: Miguel de Icaza [mailto:miguel at xamarin.com]
> > We would love a test case to add to the test suite.
> > We are building a new test suite as part of this work anyways.
> This is almost done. Granted it is microscopic in scope - the test I've written
> tests only for the case that I know fails; it's far from being a generalized test
> for the SslStream class as a whole.
Well, this grew up more than expected. I started writing a unit test, and discovered the behavior is variable based on the existence or non-existence of intermediates and roots on *both* the client and server... Which means in order to test it thoroughly, the client & server cannot be on the same machine... So it's really not a unit test. Even more dramatically, the behavior depends on whether the server & client are windows or mono. So ultimately this test requires 4 machines (2 windows and 2 mono) with 16 tests run on each combination.
I wrote a compatibility testing project.
In this project, I created a junk root CA, an junk intermediate CA, and a junk server cert, suitable for publishing and testing. I also tested, offline, pasting some real root CA, intermediate, and real commercially signed certs, and found the behavior of real certs from real CA's to be consistent with the results of these generated junk certs.
There are ultimately 2 bugs causing mono to fail - (1) The server doesn't send the chain to the client. And (2) the client fails to build a chain from available certs, even if all the necessary certs are available to the client. I noticed "mcs/class/Mono.Security/Mono.Security.X509/X509Chain.cs" doesn't use the intermediate store at all, when using the "Build()" method to build a chain.
More information about the Mono-devel-list