[Mono-list] Help with SSL and WebRequest
Sebastien Pouliot
sebastien.pouliot at gmail.com
Fri Aug 19 17:25:17 EDT 2005
Hello John,
I'm afraid I can't say much more than what's already in the FAQ...
On Fri, 2005-19-08 at 16:53 -0400, John M. Brown wrote:
> I continually get this error when I try to use the System.Net.WebRequest
> class to connect to an SSL Server.
...
> I ran the tlstest.exe file from: http://www.mono-project.com/FAQ:_Security
> and it gives me some data but the last line reads:
>
> "Error #-2146762486: CERT_E_CHAINING 0x800B010A"
That's because there's no way to verify the authenticity of the server's
certificate (i.e. can't build a chain up to a trusted root).
> I read in a mailing in June that I may be able to get around this by
> trusting the certificate, but alas the FAQ page doesn't provide much in
> the way of details except to say "you need to find the public
> certificate".
There's no central site where you can find all existing roots (not that
it would be a good idea) so it's not easy to give details (i.e. finding
them will vary by CA).
> Can anyone provide a work around or tell me what I'm doing wrong... or
> even give me some direction in how to set up trust against either an
> individual
Using a web browser try to look for the site certificate, find which CA
has signed it, then go to their site, download their root certs and
install them using certmgr.exe
> or blanketed trust to all certificates?
I don't recommend that option but you can, as stated in the FAQ,
implement an ICertificatePolicy class. Look at the tlstest source code
to see how this is done.
> Let me repeat again for clarity. My program works correctly on
> Microsoft's .Net CLR on Windows, but fails when run through Mono.
That's because the required root certificates are present in Windows.
> The
> site I'm connecting to for an example is https://www.ipupdater.com
A look at their SSL certificate shows that it was issued by
"Comodo Class 3 Security Services CA", so Comodo is your best place to
start a search - and in fact you can find it there (it's not easy but
it's there).
http://www.instantssl.com/ssl-certificate-support/cert_installation/ssl-certificate-index.html?currency=USD®ion=North%20America&country=CA
If it wasn't then you would need to look a little more, Comodo CA is not
a root and it's ICA certificate was issued by "GTE CyberTrust Root"*,
which was buy by Baltimore, which was buy by Betrusted, which was
renamed Cybertrust.
* yes that means that you must install both the Comodo (intermediate)
and the GTE (root) certificates for it to work.
--
Sebastien Pouliot <sebastien.pouliot at gmail.com>
More information about the Mono-list
mailing list