[Mono-list] Preview 2.6.6

Abe Gillespie abe.gillespie at gmail.com
Mon Jul 12 15:19:23 EDT 2010


Hi Sebastian,

I ran mozroots as myself but with the -m switch to install into the
machine store.  Of course I did run it with "sudo" so it's technically
owned by root:root.  I don't believe it's a permissions problem
because a) this worked fine somewhere along the 2.4.x line, b) others
seem to be experiencing this as a recent regression as evidenced by
this http://bit.ly/bjxgHT, and c) I'm *pretty* sure the apache user
has the necessary rights to read the certs - ugo all have the "r" flag
set through the entire directory structure to the certs
(/usr/share/.mono/certs/*), unfortunately I couldn't verify for sure
because when I switch user from root to apache I get "This account is
currently not available.".

-Abe

On Mon, Jul 12, 2010 at 1:43 PM, Sebastien Pouliot
<sebastien.pouliot at gmail.com> wrote:
> On Sat, 2010-07-10 at 13:44 -0400, Abe Gillespie wrote:
>> sberryman, Jan,
>>
>> Thanks for the help, guys.  I did try this as I've used this
>> work-around before and I *thought* it wasn't working as well.  But I
>> just had another try and it worked fine.
>>
>> Now, is there a safe way to implement this work-around?
>
> Not really - otherwise there would be no gain (just pain) in verifying
> the certificate chain ;-)
>
>>  I'm not much
>> of a security wonk, so what can I check in the cert to accept only
>> Google's?  I see properties like Issuer, Thumbprint, and
>> GetRawCertData.
>
>> Can I use any of these to verify, or at least do
>> slightly more than "return true" for all certs?
>
> You can check the thumbprint (it's a hash) but that will stop working
> when Google updates its certificate or if it use more than one
> certificate (e.g. on different servers).
>
> Now (from the bug report) it looks like you have permission issues when
> executing code from apache (likely it can't read the certificates). See
> my comment there...
>
>> Thanks.
>> -Abe
>>
>> On Fri, Jul 9, 2010 at 10:06 PM, sberryman <shaun at golfsigma.com> wrote:
>> >
>> > You could always use the ServicePointManager to accept all SSL certs.
>> > Security risk but I've used it in the past when I've had problems with Mono
>> > and SSL certs.
>> >
>> > Simply add the following delegate before you send the email.
>> >
>> > ServicePointManager.ServerCertificateValidationCallback = delegate(object
>> > sender, System.Security.Cryptography.X509Certificates.X509Certificate
>> > certificate, System.Security.Cryptography.X509Certificates.X509Chain chain,
>> > System.Net.Security.SslPolicyErrors sslPolicyErrors)
>> > {
>> >     return true;
>> > };
>> >
>> > --
>> > View this message in context: http://mono.1490590.n4.nabble.com/Preview-2-6-6-tp2279971p2284277.html
>> > Sent from the Mono - General mailing list archive at Nabble.com.
>> > _______________________________________________
>> > Mono-list maillist  -  Mono-list at lists.ximian.com
>> > http://lists.ximian.com/mailman/listinfo/mono-list
>> >
>> _______________________________________________
>> Mono-list maillist  -  Mono-list at lists.ximian.com
>> http://lists.ximian.com/mailman/listinfo/mono-list
>
>
>


More information about the Mono-list mailing list