[Mono-list] Re: Mono.Security
Sunil Kumar
Sunilk@novell.com
Sat, 06 Dec 2003 04:34:23 -0700
Carlos,
I am using SslClientStream class in my client program to talk to an =
LDAP server over SSL. But the handshake is not completing properly and the =
client hangs in between. I wrote the following lines of code to do this:-
//certfile is a ASN1 DER =
encoded selfsigned certificate file.
X509Certificate Cert =3D =
X509Certificate.CreateFromCertFile(certfile);
Socket sock =3D new =
Socket ( AddressFamily.InterNetwork,
=
SocketType.Stream, ProtocolType.IP);
IPAddress hostadd =3D =
Dns.Resolve(host).AddressList[0];
IPEndPoint ephost =3D new =
IPEndPoint(hostadd,port);
sock.Connect(ephost);
NetworkStream nstream =3D =
new NetworkStream(sock,true);
SslClientStream sslstream =
=3D new SslClientStream( nstream, host, true, =
=20
=
Mono.Security.Protocol.Tls.Secu=
rityProtocolType.Default,
=
new X509CertificateCollection(ne=
w X509Certificate[]{Cert}));
System.IO.Stream input=3D =
sslstream;
System.IO.Stream output=3Dssl=
stream;
I am using input and output stream to read and write on the socket. The =
certificate looks like okay since i have used the same certificate to talk =
to the ldap server over ssl using Openssl libraries.
Here is a log from the server which may give you some clue of what is =
happening on the server side:-
LDAP : Monitor 0x508 received signal l
LDAP : Monitor 0x508 initiating TLS handshake on connection 0x9176cc0
LDAP : (164.99.145.182:51124)(0x0000:0x02) DoTLSHandshake on connection =
0x9176cc0
LDAP : (164.99.145.182:51124)(0x0000:0x02) Connection 0x9176cc0 sending =
read blocked signal r to monitor 0x508
LDAP : Monitor 0x508 received signal r
LDAP : Monitor 0x508 signaling read blocked connection 0x9176cc0
LDAP : (164.99.145.182:51124)(0x0000:0x02) Connection 0x9176cc0 sending =
read blocked signal r to monitor 0x508
LDAP : Monitor 0x508 received signal r
In case of OpenSSL library ( When the handshake completes properly ) =
following log is generated:-
LDAP : New TLS connection 0x9176cc0 from 164.99.159.221:2943, monitor =
=3D 0x508, index =3D 1
LDAP : Connector sending signal l to monitor 0x508 for new connection =
0x9176cc0
LDAP : Monitor 0x508 received signal l
LDAP : Monitor 0x508 initiating TLS handshake on connection 0x9176cc0
LDAP : (164.99.159.221:2943)(0x0000:0x02) DoTLSHandshake on connection =
0x9176cc0
LDAP : (164.99.159.221:2943)(0x0000:0x02) Connection 0x9176cc0 sending =
read blocked signal r to monitor 0x508
LDAP : Monitor 0x508 received signal r
LDAP : Monitor 0x508 signaling read blocked connection 0x9176cc0
LDAP : (164.99.159.221:2943)(0x0000:0x02) Completed TLS handshake on =
connection 0x9176cc0
LDAP : (164.99.159.221:2943)(0x0000:0x02) Connection 0x9176cc0 sending =
handshake signal h to monitor 0x508
LDAP : Monitor 0x508 received signal h
Do you have any idea of what might be the cause of problem?
Regards
Sunil.
>>> Carlos Guzm=E1n =C1lvarez <carlosga@telefonica.net> 12/5/2003 6:08:23 =
PM >>>
Hello:
> I was trying to use some of the classes provided in
>Mono.Security.Protocol.Tls like TlsSocket,TlsSession etc.
I have removed it two weeks ago, and replaced it with an SslClientStream=20=
implementation similar to the existent in the .NET 1.2 documentation.
>Can anyone tell me about the status of these classes.
They are under development, and at this moment they have some limitations:
- Client only.
- No real server certificate validation (only the certificate=
date and=20
target host are validated now).
- No client authentication.
The supported Cipher Suites for TLS protocol are:
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_DES_CBC_SHA
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_RC4_128_MD5
=09
And for SSL3 are:
- SSL_RSA_WITH_3DES_EDE_CBC_SHA
- SSL_RSA_WITH_DES_CBC_SHA
- SSL_RSA_WITH_RC4_128_SHA
- SSL_RSA_WITH_RC4_128_MD5 =09
I was busy this week and have no time for work on it but i have plans=20
for restart the work next week.
>BTW I was looking for a way to create SSL/TLS socket, Is there >any=20
other way thru which I can do without using TlsSocket >class?
You can use the Mono.Security.SslClientStream class for it.
An example on how to setup it:
string targetHost =3D "localhost";
IPAddress hostadd =3D Dns.Resolve("localhost").AddressList[0];
IPEndPoint EPhost =3D new IPEndPoint(hostadd, 443);
Socket socket =3D new Socket(AddressFamily.InterNetwork,
SocketType.Stream,
ProtocolType.IP);
// Make the socket to connect to the Server
socket.Connect(EPhost); =09
// Create a Network Stream that owns the socket
NetworkStream networkStream =3D new NetworkStream(socket, true);
// Create a new SslClientStream instance that owns the
// networkStream
SslClientStream sslStream =3D new SslClientStream(
networkStream, =
targetHost,
true, =
SecurityProtocolType.Default);
With SecurityProtocolType.Default the SslClientStream will use TLS as=20
security protocol, the handshake will be negotiated in the first=20
read/write operation.
--
Best regards
Carlos Guzm=E1n =C1lvarez
Vigo-Spain
_______________________________________________
Mono-list maillist - Mono-list@lists.ximian.com=20
http://lists.ximian.com/mailman/listinfo/mono-list