[Mono-dev] Bug with Ssl cert validation

Edward Ned Harvey (mono) edward.harvey.mono at clevertrove.com
Tue Mar 18 10:33:53 UTC 2014

> From: Sebastien Pouliot [mailto:sebastien.pouliot at gmail.com]
>>                         var mySslStream = new SslStream (client.GetStream(), false,
>> ValidateServerCertificate);
> if you read the source [1] (or look at the API compatibility page [2]) you'll see
> that this .ctor is decorated with
> [MonoTODO ("userCertificateValidationCallback is not passed X509Chain and
> SslPolicyErrors correctly")]
> Changing it to
> var mySslStream = new SslStream (client.GetStream(), false);
> *and* having run `mozroots` will work.

Thank you for this information, but it causes me an equally significant problem.  I need to accept the server cert if it passes validation with mozroots, but if that fails, then I need to get user input to determine if they'll accept the cert.

I guess the best way to do this will be to first create the SslStream and AuthenticateAsClient, and  simply wait to see if it succeeds.  If it fails, then throw it away, create a new SslStream with RemoteCertificateValidationCallback, and ignore the X509Chain and  SslPolicyErrors, just simply present the certificate to user.

Any better ideas?

Thanks again, for your very prompt and helpful response.   :-)

More information about the Mono-devel-list mailing list