[Mono-list] HttpWebRequest and client certificates

Samuel CARRIERE samuel_carriere at hotmail.com
Tue Oct 23 10:58:27 EDT 2007 

Hi Sebastien and others,
 
There is still a small issue with webservice client certificates with mono 1.2.5 : it seems not to support SSL re-negotiation.
For example, in my scenario, my Apache server doesn't require client authentication, except for the "/webservice" location.
So I have something like this in my httpd.conf configuration file :
 
SSLVerifyClient none<Location /webservice>   SSLVerifyClient require</Location>
 
This kind of configuration causes a SSL security re-negotiation (see http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslverifyclient), and my mono client webservice test program crashes with the following stack trace :
Unhandled Exception: System.Net.WebException: Error getting response stream (ReadDone1): ReceiveFailure ---> System.IO.IOException: EndWrite failure ---> System.Net.Sockets.SocketException: The socket has been shut down  at System.Net.Sockets.Socket+SocketAsyncResult.CheckIfThrowDelayedException () [0x00000]  at System.Net.Sockets.Socket.EndSend (IAsyncResult asyncResult, System.Net.Sockets.SocketError& errorCode) [0x00000]  at System.Net.Sockets.Socket.EndSend (IAsyncResult result) [0x00000]  at System.Net.Sockets.NetworkStream.EndWrite (IAsyncResult ar) [0x00000] --- End of inner exception stack trace ---
  at System.Net.Sockets.NetworkStream.EndWrite (IAsyncResult ar) [0x00000]  at Mono.Security.Protocol.Tls.RecordProtocol.EndSendRecord (IAsyncResult asyncResult) [0x00000]  at Mono.Security.Protocol.Tls.RecordProtocol.SendRecord (ContentType contentType, System.Byte[] recordData) [0x00000]  at Mono.Security.Protocol.Tls.RecordProtocol.SendAlert (Mono.Security.Protocol.Tls.Alert alert) [0x00000]  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] --- End of inner exception stack trace ---
  at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult) [0x00000]  at System.Net.HttpWebRequest.GetResponse () [0x00000]  at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse (System.Net.WebRequest request) [0x00000]
Samuel
> Date: Wed, 23 May 2007 08:09:30 -0400> From: sebastien.pouliot at gmail.com> Subject: RE: [Mono-list] HttpWebRequest and client certificates> To: samuel_carriere at hotmail.com> CC: mono-list at lists.ximian.com> > On Wed, 2007-05-23 at 10:39 +0200, Samuel CARRIERE wrote:> > > > Bonjour Sebastien,> > > > I just tested the hack, with mono-1.2.4.20070521.tar.gz, and it works> > like a charm :)> > Great news!> > Thanks for the confirmation,> Sebastien> > > Thank's a lot !> > > > Samuel> > > > > Date: Wed, 9 May 2007 13:43:53 -0400> > > From: sebastien.pouliot at gmail.com> > > Subject: Re: [Mono-list] HttpWebRequest and client certificates> > > To: samuel_carriere at hotmail.com> > > CC: mono-list at lists.ximian.com> > > > > > Bonjour Samuel,> > > > > > I did commit the hack into SVN and it does work with XSP(*). Let me> > know> > > if this works, or not, in your web service scenario.> > > > > > (*) http://www.mono-project.com/UsingClientCertificatesWithXSP> > > wiki page was updated to reflect this> > > > > > Sebastien> > > > > > On Mon, 2007-05-07 at 13:25 -0400, Sebastien Pouliot wrote:> > > > Bonjour Samuel,> > > > > > > > On Wed, 2007-05-02 at 14:29 +0200, Samuel CARRIERE wrote:> > > > > > > > 5 days to get this email ? I guess/hope you're not subscribed to> > the> > > > list.> > > > > > > > > >On Mon, 2007-03-12 at 17:46 +0100, Michal Ziemski wrote:> > > > > >> Hi!> > > > > >> > > > > > >> Does HttpWebRequest support client certificates in mono?> > > > > >> Th FAQ > > > > > >>> > > > >> > (http://www.mono-project.com/FAQ:_Security#Are_SSL_client_certificates_supported_.3F)> > > > > >> states it doesn't in 1.1, but might in 2.0> > > > > >> > > > > > >> Does it work in 2.0?> > > > > >> > > > > >There as been progress, both for the new X509Certificate2 and> > > > > X509Store> > > > > >classes, but the HttpWebRequest code hasn't yet been updated.> > This> > > > > part> > > > > >is somewhat interlocked with the new SslStream class (2.0) and> > how> > > > > we'll> > > > > >provide it. > > > > > >> > > > > >However at this stage it may be possible to make a quick hack> > to add> > > > > >client-side certificate support for *some* 2.0 apps (depending> > on how> > > > > >the certificate is loaded).> > > > > >> > > > > >> > > > > > >> Cheers!> > > > > >> Michal Ziemski> > > > > >> > > > > > > > > > > Hi everybody,> > > > > > > > > > I am working on a C# mono application that needs client> > certificates> > > > > to call a webservice.> > > > > Sebastien, can you explain a bit what sort of "quick hack" it> > may be> > > > > possible to make, to> > > > > make this following test code work ?> > > > > > > > > > static void Main(string[] args)> > > > > {> > > > > // Instanciate webservice client> > > > > WSAddition.Addition client = new> > testWsSSL.WSAddition.Addition();> > > > > X509Certificate2 Cert = new> > > > > X509Certificate2("/my/clientCertificate.p12", "password");> > > > > client.ClientCertificates.Add(Cert); > > > > > // Call webservice method> > > > > int result = client.add(5,6);> > > > > Console.WriteLine("Result : " + result);> > > > > }> > > > > > > > > > Does it require to hack the HttpWebRequest class ?> > > > > > > > Yes, but it should be simple. The hack is to supply the private> > key> > > > (available from X509Certificate2) to the SSL code.> > > > > > > > It would probably take me much longer to set up a client and> > server web> > > > service to test it than to implement it. However if you open a bug> > > > report (http://bugzilla.ximian.com) with a client, working with a> > public> > > > SSL/client certificate web service, I should be able to add this> > fairly> > > > quickly.> > > > > > > > > > > ______________________________________________________________________> > Soyez parmi les premiers à essayer Windows Live Mail. Windows Live> > Mail.> 
_________________________________________________________________
Découvrez le blog Messenger Le Meilleur du Web : toutes les vidéos qui buzzent le plus sur Internet !
http://meilleurduweb.spaces.live.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.ximian.com/pipermail/mono-list/attachments/20071023/2a580dc7/attachment.html

More information about the Mono-list mailing list