[Mono-list] SSL Negotiation

Chuck Budzeak crbudzeak at gmail.com
Wed Apr 27 10:32:10 EDT 2011


Greetings all,

I have an SSL Server written for mono which needs to mutually authenticate
with the clients that connect. As soon as a client connects I get:

System.IO.IOException: The authentication or decryption has failed. --->
Mono.Security.Protocol.Tls.TlsException: Server certificate Private Key
unavailable.
  at
Mono.Security.Protocol.Tls.Handshake.Server.TlsClientKeyExchange.ProcessAsTls1
() [0x00000] in <filename unknown>:0
  at Mono.Security.Protocol.Tls.Handshake.HandshakeMessage.Process ()
[0x00000] in <filename unknown>:0
  at (wrapper remoting-invoke-with-check)
Mono.Security.Protocol.Tls.Handshake.HandshakeMessage:Process ()
  at Mono.Security.Protocol.Tls.ServerRecordProtocol.ProcessHandshakeMessage
(Mono.Security.Protocol.Tls.TlsStream handMsg) [0x00000] in <filename
unknown>:0
  at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback
(IAsyncResult asyncResult) [0x00000] in <filename unknown>:0
  --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback
(IAsyncResult asyncResult) [0x00000] in <filename unknown>:0

 I have been at this for a couple days and have read through
http://www.mono-project.com/Cryptography and
http://www.mono-project.com/FAQ:_Security a dozen times.

Here is my code:

TcpClient tcpClient = this.tcpListener.AcceptTcpClient();
SslStream sslStream = new SslStream(tcpClient.GetStream(), true, new
RemoteCertificateValidationCallback(Validator), new
LocalCertificateSelectionCallback(SelectLocalCertificate));
X509Certificate2 serverCert = new X509Certificate2("root.cer");
sslStream.AuthenticateAsServer(serverCert, true, SslProtocols.Tls, true);

It is failing during the RemoteCertificateValidationCallback, which it
doesn't find the private key.

I have tried importing the p12 with the private key every way i could google
with no result.

If I try to manually add the p12 with X509Certificate2 cert = new
X509Certificate2("foo.p12","pass") inside the remote callback, it will load
the file fine, but then I don't know what to do with it.

If i try to add it to the chain, (which is apparently not what I want to do)
i get:

System.IO.IOException: The authentication or decryption has failed. --->
System.NullReferenceException: Object reference not set to an instance of an
object
at Test.Validator (System.Object sender,
System.Security.Cryptography.X509Certificates.X509Certificate certificate,
System.Security.Cryptography.X509Certificates.X509Chain chain,
SslPolicyErrors sslPolicyErrors) [0x00000] in <filename unknown>:0
at
System.Net.Security.SslStream+<BeginAuthenticateAsServer>c__AnonStorey8.<>m__B
(System.Security.Cryptography.X509Certificates.X509Certificate cert,
System.Int32[] certErrors) [0x00000] in <filename unknown>:0

The box it is running on is an openSUSE 11.3 with Mono 2.6.4 (which probably
doesn't matter, but I am trying to give as much detail as possible).

I have the exact opposite working as part of this server which makes an
SSL/TLS connection to another server (AuthenticateAsClient) and it works
great. There is just something in this process I am not getting...and it is
probably really simple.

I made the certificate with makecert (as detailed in the links above), added
it to the trust with certmgr (ditto), and am at a wall.

Any help would be greatly appreciated!

Chuck
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.ximian.com/pipermail/mono-list/attachments/20110427/e2b5e4f4/attachment.html 


More information about the Mono-list mailing list