[Mono-list] Preview 2.6.6

Sebastien Pouliot sebastien.pouliot at gmail.com
Mon Jul 12 15:34:54 EDT 2010


Abe,

If you can't test it with the apache user then write a non-ASP.NET app
doing the same (emailing) and run it under your current user.

Then use certmgr to delete all certificates (of the current user, not
machine) and try again. At this step you'll be sure if (or not) the
required certificates were found.

Update the bug report with the above information.

Thanks
Sebastien

On Mon, 2010-07-12 at 15:19 -0400, Abe Gillespie wrote:
> Hi Sebastian,
> 
> I ran mozroots as myself but with the -m switch to install into the
> machine store.  Of course I did run it with "sudo" so it's technically
> owned by root:root.  I don't believe it's a permissions problem
> because a) this worked fine somewhere along the 2.4.x line, b) others
> seem to be experiencing this as a recent regression as evidenced by
> this http://bit.ly/bjxgHT, and c) I'm *pretty* sure the apache user
> has the necessary rights to read the certs - ugo all have the "r" flag
> set through the entire directory structure to the certs
> (/usr/share/.mono/certs/*), unfortunately I couldn't verify for sure
> because when I switch user from root to apache I get "This account is
> currently not available.".
> 
> -Abe
> 
> On Mon, Jul 12, 2010 at 1:43 PM, Sebastien Pouliot
> <sebastien.pouliot at gmail.com> wrote:
> > On Sat, 2010-07-10 at 13:44 -0400, Abe Gillespie wrote:
> >> sberryman, Jan,
> >>
> >> Thanks for the help, guys.  I did try this as I've used this
> >> work-around before and I *thought* it wasn't working as well.  But I
> >> just had another try and it worked fine.
> >>
> >> Now, is there a safe way to implement this work-around?
> >
> > Not really - otherwise there would be no gain (just pain) in verifying
> > the certificate chain ;-)
> >
> >>  I'm not much
> >> of a security wonk, so what can I check in the cert to accept only
> >> Google's?  I see properties like Issuer, Thumbprint, and
> >> GetRawCertData.
> >
> >> Can I use any of these to verify, or at least do
> >> slightly more than "return true" for all certs?
> >
> > You can check the thumbprint (it's a hash) but that will stop working
> > when Google updates its certificate or if it use more than one
> > certificate (e.g. on different servers).
> >
> > Now (from the bug report) it looks like you have permission issues when
> > executing code from apache (likely it can't read the certificates). See
> > my comment there...
> >
> >> Thanks.
> >> -Abe
> >>
> >> On Fri, Jul 9, 2010 at 10:06 PM, sberryman <shaun at golfsigma.com> wrote:
> >> >
> >> > You could always use the ServicePointManager to accept all SSL certs.
> >> > Security risk but I've used it in the past when I've had problems with Mono
> >> > and SSL certs.
> >> >
> >> > Simply add the following delegate before you send the email.
> >> >
> >> > ServicePointManager.ServerCertificateValidationCallback = delegate(object
> >> > sender, System.Security.Cryptography.X509Certificates.X509Certificate
> >> > certificate, System.Security.Cryptography.X509Certificates.X509Chain chain,
> >> > System.Net.Security.SslPolicyErrors sslPolicyErrors)
> >> > {
> >> >     return true;
> >> > };
> >> >
> >> > --
> >> > View this message in context: http://mono.1490590.n4.nabble.com/Preview-2-6-6-tp2279971p2284277.html
> >> > Sent from the Mono - General mailing list archive at Nabble.com.
> >> > _______________________________________________
> >> > Mono-list maillist  -  Mono-list at lists.ximian.com
> >> > http://lists.ximian.com/mailman/listinfo/mono-list
> >> >
> >> _______________________________________________
> >> Mono-list maillist  -  Mono-list at lists.ximian.com
> >> http://lists.ximian.com/mailman/listinfo/mono-list
> >
> >
> >




More information about the Mono-list mailing list