[Mono-list] SslStream

Sebastien Pouliot sebastien.pouliot at gmail.com
Tue Feb 13 18:56:54 EST 2007

Bonjour Jonathan,

On Tue, 2007-02-13 at 17:51 -0500, Jonathan Gagnon wrote:
> I have a server application that uses the SslStream class and I would
> like to make it work in mono.  It seems like the SslStream class is
> not implemented yet but that I could use SslServerStream to make it
> work.  Unfortunately, that doesn't seem to work in my case.  I always
> get the following error :
> System.IO.IOException: The authentication or decryption has failed.
> ---> Mono.Security.Protocol.Tls.TlsException: Server certificate
> Private Key unavailable.
>   at
> Mono.Security.Protocol.Tls.Handshake.Server.TlsClientKeyExchange.ProcessAsTls1 () [0x00000]
>   at Mono.Security.Protocol.Tls.Handshake.HandshakeMessage.Process ()
> [0x00000]
>   at (wrapper remoting-invoke-with-check)
> Mono.Security.Protocol.Tls.Handshake.HandshakeMessage:Process ()
>   at
> Mono.Security.Protocol.Tls.ServerRecordProtocol.ProcessHandshakeMessage (Mono.Security.Protocol.Tls.TlsStream handMsg) [0x00000]
>   at
> Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback (IAsyncResult asyncResult) [0x00000] --- End of inner exception stack trace ---
>   at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback
> (IAsyncResult asyncResult) [0x00000]
> Here's what my code looks like :
>     X509Certificate certificate = new X509Certificate("c:\
> \certificate.cer");
>     SslServerStream sslStream = new
> SslServerStream(tcpClient.GetStream(), certificate);
> Here is the code that works when I run the application with .NET,
> using the SslStream class :
>     X509Certificate certificate = new X509Certificate("c:\
> \certificate.cer");
>     SslStream sslStream = new SslStream(tcpClient.GetStream());
>     sslStream.AuthenticateAsServer(certificate);
> The certificate file was created using the makecert tool that comes
> with .NET.  It seems like mono is unable to retrieve the private key
> from it.
> Any idea what the problem could be,

Yes. The .cer file contains only the certificate, not the private key.

Under Windows, CryptoAPI does some magic (well looks for the .cer into
it's certificate store and retrieve the associated private key) to make
it work - and it has it's own drawbacks.

We'll eventually support something similar now that we have support for
our own (certificate and key) stores. When ? probably when we have a
working SslStream implementation. In the mean time...

>  or what I could do to make it work with mono?

Yes, using SslServerStream you can set a delegate to retrieve the
private key (e.g. MS makecert generates it into a PVK file). Have a look
at XSP source code for a sample.

> Thanks,
> Jonathan
> _______________________________________________
> Mono-list maillist  -  Mono-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-list

More information about the Mono-list mailing list