[Mono-list] Help with SSL and WebRequest

Sebastien Pouliot sebastien.pouliot at gmail.com
Fri Aug 19 17:25:17 EDT 2005


Hello John,

I'm afraid I can't say much more than what's already in the FAQ...

On Fri, 2005-19-08 at 16:53 -0400, John M. Brown wrote:
> I continually get this error when I try to use the System.Net.WebRequest
> class to connect to an SSL Server.
...
> I ran the tlstest.exe file from: http://www.mono-project.com/FAQ:_Security
> and it gives me some data but the last line reads:
> 
> "Error #-2146762486: CERT_E_CHAINING 0x800B010A"

That's because there's no way to verify the authenticity of the server's
certificate (i.e. can't build a chain up to a trusted root).

> I read in a mailing in June that I may be able to get around this by
> trusting the certificate, but alas the FAQ page doesn't provide much in
> the way of details except to say "you need to find the public
> certificate".

There's no central site where you can find all existing roots (not that
it would be a good idea) so it's not easy to give details (i.e. finding
them will vary by CA).

> Can anyone provide a work around or tell me what I'm doing wrong... or
> even give me some direction in how to set up trust against either an
> individual 

Using a web browser try to look for the site certificate, find which CA
has signed it, then go to their site, download their root certs and
install them using certmgr.exe

> or blanketed trust to all certificates?

I don't recommend that option but you can, as stated in the FAQ,
implement an ICertificatePolicy class. Look at the tlstest source code
to see how this is done.

> Let me repeat again for clarity.  My program works correctly on
> Microsoft's .Net CLR on Windows, but fails when run through Mono.

That's because the required root certificates are present in Windows.

>   The
> site I'm connecting to for an example is https://www.ipupdater.com

A look at their SSL certificate shows that it was issued by
"Comodo Class 3 Security Services CA", so Comodo is your best place to
start a search - and in fact you can find it there (it's not easy but
it's there).

http://www.instantssl.com/ssl-certificate-support/cert_installation/ssl-certificate-index.html?currency=USD&region=North%20America&country=CA

If it wasn't then you would need to look a little more, Comodo CA is not
a root and it's ICA certificate was issued by "GTE CyberTrust Root"*,
which was buy by Baltimore, which was buy by Betrusted, which was
renamed Cybertrust.

* yes that means that you must install both the Comodo (intermediate)
and the GTE (root) certificates for it to work.
-- 
Sebastien Pouliot <sebastien.pouliot at gmail.com>



More information about the Mono-list mailing list