[Mono-list] Certificate Store / LDAP

Sébastien Pouliot spouliot at videotron.ca
Wed Jun 1 10:05:13 EDT 2005


Hello Loren,

> BACKGROUND: I've been using Mono for a couple of projects, one of which is
> called LAT (LDAP Administration Tool) [1].
>
> I've been trying to get LDAP over SSL to work.  I found some sample code
> (Samples.SecureBind.cs) written by Sunil Kumar at Novell but I couldn't
> get it work on my system.
>
> I figured out pretty quickly the problem was I needed to use the
> certificate manager tool (certmgr) to import the SSL certificate into my
> personal store.  Once I did that I could make a secure LDAP connection.
>
> I dug into the certmgr source code to see how it imported certificates
> into the store and copied over some chunks into LAT (my code is GPL'd; so
> is the certmgr).

Not exactly ;-) For historical reasons (i.e. my previous employer) the
security tools were created with a BSD license. But that's not a problem for
your GPL application.

Just be aware that the certificate store may change format in the future.
The safest way to avoid problems is to use the code from the
Mono.Security.dll assembly (which is probably what you did by copying the
certmgr code into your application). The next version (2.0) of the framework
will have better interfaces to deal with certificate stores.

> The plan was is if you were making an SSL connection, LAT would check the
> store if there was no certificate it would popup a dialog and ask the user
> if they wanted to import it.

Note that importing the certificate means that _all_ Mono applications will
start trusting it. This should be clear in your UI / documentation. If you
don't mind I have a suggestion for this (near the end).

> If you click on 'Yes' the certificate does get imported into the user's
> personal store but the LDAP connection fails.  If I exit and re-run the
> program it works.

The certificate store isn't (and won't be) monitored for changes. This is
mostly for performance issues (as adding certificates is a rare operation)
and, anyway, there is a (IMHO) better alternative...

> Is there some way I can get the Novell.Directory.Ldap classes to use a
> freshly imported certificate without requiring a restart? Maybe there is a
> better way to do want I want??
>
> Anyone got any suggestions?

Note: This has been discuted in the past but I don't know if the feature
made it into a release of the LDAP library.

The SSL client code allows what you want to do (e.g. accepting any
certificate) so it is possible to accept it (if the user click yes) and add
it to the store (like you're doing). Because this is accepted by your own
code you don't need to restart your application. The "tlstest" tool shows
how to do this:
http://svn.myrealbox.com/source/trunk/mcs/class/Mono.Security/Test/tools/tls
test/tlstest.cs

The problem is (or was ?) that the LDAP library doesn't expose the
SslClientStream instance nor does it (or didn't) provide a similar
functionality to accept a certificate. If this is still the case then you
should contact the LDAP developers. They have a mailing list available on
Novell Forge.


So now the suggestion... You should consider to take the FireFox approach:
* Yes (always)		-> which imports the certificate
* Yes (this time only)	-> only accept the certificate for this session
* No				-> cancel the connection (that should be the default)

> [1; cheap plug] - http://people.mmgsecurity.com/~lorenb/lat/

Looks nice :)

Sebastien Pouliot
home: spouliot at videotron.ca
blog: http://pages.infinit.net/ctech/poupou.html



More information about the Mono-list mailing list