[Mono-list] Certificate Store / LDAP

Loren Bandiera lorenb at mmgsecurity.com
Wed Jun 1 10:19:40 EDT 2005


>
> Not exactly ;-) For historical reasons (i.e. my previous employer) the
> security tools were created with a BSD license. But that's not a problem
> for
> your GPL application.

Noted :)

>
> Note: This has been discuted in the past but I don't know if the feature
> made it into a release of the LDAP library.
>
> The SSL client code allows what you want to do (e.g. accepting any
> certificate) so it is possible to accept it (if the user click yes) and
> add
> it to the store (like you're doing). Because this is accepted by your own
> code you don't need to restart your application. The "tlstest" tool shows
> how to do this:
> http://svn.myrealbox.com/source/trunk/mcs/class/Mono.Security/Test/tools/tls
> test/tlstest.cs
>
> The problem is (or was ?) that the LDAP library doesn't expose the
> SslClientStream instance nor does it (or didn't) provide a similar
> functionality to accept a certificate. If this is still the case then you
> should contact the LDAP developers. They have a mailing list available on
> Novell Forge.

That's cool, it's the exact behaviour I'm looking for. I'll take a look at
the tlstest code and see if it works with the LDAP libraries. If not,
maybe I can write a patch for the LDAP developers.

>
> So now the suggestion... You should consider to take the FireFox approach:
> * Yes (always)		-> which imports the certificate
> * Yes (this time only)	-> only accept the certificate for this session
> * No				-> cancel the connection (that should be the default)
>

That's a really good idea, I'll definately use that approach.  Thanks for
the information/advice!

-- 
Loren Bandiera, CISSP <lorenb at mmgsecurity.com>
MMG Security, Inc.




More information about the Mono-list mailing list