[Mono-dev] mkbundle and TLS root certificates/HTTPS requests

Miguel de Icaza miguel at microsoft.com
Tue May 16 15:09:26 UTC 2017


Another thing we discussed was the possibility of bundling these with the executable.

This would work on platforms that use BoringTLS, not sure about Apple platforms using AppleTLS.

For this to work, I would need a way of registering these certificates at startup.   Martin, is there some way I could do that?

On 5/4/17, 6:46 PM, "Mono-devel-list on behalf of Alexander Köplinger via Mono-devel-list" <mono-devel-list-bounces at lists.dot.net on behalf of mono-devel-list at lists.dot.net> wrote:

    I talked to Miguel, mkbundle currently doesn't have any special handling for CA certificates so Mono would just look in the usual locations.
    So that'd be ~/.config/.mono/certs/ and /usr/share/.mono/certs/.
    - Alex
    > On 26 Apr 2017, at 17:03, John Beshir <john at beshir.org> wrote:
    > Hey, I'm wondering what process mkbundle'd executables on Linux use to find or get CA certificates for validating server certificates, to enable outgoing TLS and HTTPS connections.
    > And, if these executables don't include bundled certificates automatically, what process should be followed in order to create a mkbundle'd executable that can make HTTPS connections successfully?
    > I have a problem with a Linux port of a piece of software not being able to establish connections which I believe is due to it lacking the ability to validate connections. It needs to be able to connect to arbitrary servers, so it does need a full set, rather than just a certificate pinning implementation for its own service, which is all I could find existing discussion for.
    > Unfortunately because I'm not sure what mechanisms already exist here I'm not sure where to start in solving it; some clues would be very helpful. Right now my best thought would be to look at cert-sync's source and duplicate its behaviour, but either answers about that being unnecessary, an existing understood workflow for mkbundle'd software to make HTTPS connections, or a pointer to the key logic in cert-sync to replicate would be very helpful.
    > _______________________________________________
    > Mono-devel-list mailing list
    > Mono-devel-list at lists.dot.net
    > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.dot.net%2Fmailman%2Flistinfo%2Fmono-devel-list&data=02%7C01%7Calkpli%40microsoft.com%7Cc5f90d69a96f4562aee508d48cb56d3f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636288158243101110&sdata=mj9K4VcjQ%2BjGqDRcuHKAYaIu5OwopS9Op0R7%2FOsQbbM%3D&reserved=0
    Mono-devel-list mailing list
    Mono-devel-list at lists.dot.net

More information about the Mono-devel-list mailing list