[Mono-list] HttpWebRequest and client certificates

Sebastien Pouliot sebastien.pouliot at gmail.com
Tue Oct 23 11:14:52 EDT 2007 

Hello Samuel,

SSL/TSL renegotiation itself is supported - but I don't recall it being
tested with client-side certificates.

Please fill a bug report at bugzilla.novell.com, including a test case
and your server configuration.

Thanks
Sebastien

On Tue, 2007-10-23 at 16:58 +0200, Samuel CARRIERE wrote:
> Hi Sebastien and others,
>  
> There is still a small issue with webservice client certificates with
> mono 1.2.5 : it seems not to support SSL re-negotiation.
> For example, in my scenario, my Apache server doesn't require client
> authentication, except for the "/webservice" location.
> So I have something like this in my httpd.conf configuration file :
>  
> SSLVerifyClient none
> <Location /webservice>
>    SSLVerifyClient require
> </Location>
>  
> This kind of configuration causes a SSL security re-negotiation (see
> http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslverifyclient),
> and my mono client webservice test program crashes with the following
> stack trace :
> 
> Unhandled Exception: System.Net.WebException: Error getting response
> stream (ReadDone1): ReceiveFailure ---> System.IO.IOException:
> EndWrite failure ---> System.Net.Sockets.SocketException: The socket
> has been shut down
>   at System.Net.Sockets.Socket
> +SocketAsyncResult.CheckIfThrowDelayedException () [0x00000]
>   at System.Net.Sockets.Socket.EndSend (IAsyncResult asyncResult,
> System.Net.Sockets.SocketError& errorCode) [0x00000]
>   at System.Net.Sockets.Socket.EndSend (IAsyncResult result) [0x00000]
>   at System.Net.Sockets.NetworkStream.EndWrite (IAsyncResult ar)
> [0x00000] --- End of inner exception stack trace ---
>   at System.Net.Sockets.NetworkStream.EndWrite (IAsyncResult ar)
> [0x00000]
>   at Mono.Security.Protocol.Tls.RecordProtocol.EndSendRecord
> (IAsyncResult asyncResult) [0x00000]
>   at Mono.Security.Protocol.Tls.RecordProtocol.SendRecord (ContentType
> contentType, System.Byte[] recordData) [0x00000]
>   at Mono.Security.Protocol.Tls.RecordProtocol.SendAlert
> (Mono.Security.Protocol.Tls.Alert alert) [0x00000]
>   at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback
> (IAsyncResult asyncResult) [0x00000] --- End of inner exception stack
> trace ---
>   at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult
> asyncResult) [0x00000]
>   at System.Net.HttpWebRequest.GetResponse () [0x00000]
>   at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse
> (System.Net.WebRequest request) [0x00000]
> 
> Samuel
> 
> 
> > Date: Wed, 23 May 2007 08:09:30 -0400
> > From: sebastien.pouliot at gmail.com
> > Subject: RE: [Mono-list] HttpWebRequest and client certificates
> > To: samuel_carriere at hotmail.com
> > CC: mono-list at lists.ximian.com
> > 
> > On Wed, 2007-05-23 at 10:39 +0200, Samuel CARRIERE wrote:
> > > 
> > > Bonjour Sebastien,
> > > 
> > > I just tested the hack, with mono-1.2.4.20070521.tar.gz, and it
> works
> > > like a charm :)
> > 
> > Great news!
> > 
> > Thanks for the confirmation,
> > Sebastien
> > 
> > > Thank's a lot !
> > > 
> > > Samuel
> > > 
> > > > Date: Wed, 9 May 2007 13:43:53 -0400
> > > > From: sebastien.pouliot at gmail.com
> > > > Subject: Re: [Mono-list] HttpWebRequest and client certificates
> > > > To: samuel_carriere at hotmail.com
> > > > CC: mono-list at lists.ximian.com
> > > > 
> > > > Bonjour Samuel,
> > > > 
> > > > I did commit the hack into SVN and it does work with XSP(*). Let
> me
> > > know
> > > > if this works, or not, in your web service scenario.
> > > > 
> > > > (*) http://www.mono-project.com/UsingClientCertificatesWithXSP
> > > > wiki page was updated to reflect this
> > > > 
> > > > Sebastien
> > > > 
> > > > On Mon, 2007-05-07 at 13:25 -0400, Sebastien Pouliot wrote:
> > > > > Bonjour Samuel,
> > > > > 
> > > > > On Wed, 2007-05-02 at 14:29 +0200, Samuel CARRIERE wrote:
> > > > > 
> > > > > 5 days to get this email ? I guess/hope you're not subscribed
> to
> > > the
> > > > > list.
> > > > > 
> > > > > > >On Mon, 2007-03-12 at 17:46 +0100, Michal Ziemski wrote:
> > > > > > >> Hi!
> > > > > > >> 
> > > > > > >> Does HttpWebRequest support client certificates in mono?
> > > > > > >> Th FAQ 
> > > > > > >>
> > > > > >
> > >
> (http://www.mono-project.com/FAQ:_Security#Are_SSL_client_certificates_supported_.3F)
> > > > > > >> states it doesn't in 1.1, but might in 2.0
> > > > > > >> 
> > > > > > >> Does it work in 2.0?
> > > > > > >
> > > > > > >There as been progress, both for the new X509Certificate2
> and
> > > > > > X509Store
> > > > > > >classes, but the HttpWebRequest code hasn't yet been
> updated.
> > > This
> > > > > > part
> > > > > > >is somewhat interlocked with the new SslStream class (2.0)
> and
> > > how
> > > > > > we'll
> > > > > > >provide it. 
> > > > > > >
> > > > > > >However at this stage it may be possible to make a quick
> hack
> > > to add
> > > > > > >client-side certificate support for *some* 2.0 apps
> (depending
> > > on how
> > > > > > >the certificate is loaded).
> > > > > > >
> > > > > > >> 
> > > > > > >> Cheers!
> > > > > > >> Michal Ziemski
> > > > > > >> 
> > > > > > 
> > > > > > Hi everybody,
> > > > > > 
> > > > > > I am working on a C# mono application that needs client
> > > certificates
> > > > > > to call a webservice.
> > > > > > Sebastien, can you explain a bit what sort of "quick hack"
> it
> > > may be
> > > > > > possible to make, to
> > > > > > make this following test code work ?
> > > > > > 
> > > > > > static void Main(string[] args)
> > > > > > {
> > > > > > // Instanciate webservice client
> > > > > > WSAddition.Addition client = new
> > > testWsSSL.WSAddition.Addition();
> > > > > > X509Certificate2 Cert = new
> > > > > > X509Certificate2("/my/clientCertificate.p12", "password");
> > > > > > client.ClientCertificates.Add(Cert); 
> > > > > > // Call webservice method
> > > > > > int result = client.add(5,6);
> > > > > > Console.WriteLine("Result : " + result);
> > > > > > }
> > > > > > 
> > > > > > Does it require to hack the HttpWebRequest class ?
> > > > > 
> > > > > Yes, but it should be simple. The hack is to supply the
> private
> > > key
> > > > > (available from X509Certificate2) to the SSL code.
> > > > > 
> > > > > It would probably take me much longer to set up a client and
> > > server web
> > > > > service to test it than to implement it. However if you open a
> bug
> > > > > report (http://bugzilla.ximian.com) with a client, working
> with a
> > > public
> > > > > SSL/client certificate web service, I should be able to add
> this
> > > fairly
> > > > > quickly.
> > > > 
> > > 
> > > 
> > > 
> > >
> ______________________________________________________________________
> > > Soyez parmi les premiers à essayer Windows Live Mail. Windows Live
> > > Mail.
> > 
> 
> 
> 
> ______________________________________________________________________
> Besoin d'un e-mail ? Créez gratuitement un compte Windows Live Hotmail
> et bénéficiez d'un filtre antispam gratuit ! Windows Live Hotmail

More information about the Mono-list mailing list