[Mono-list] Private key failure SslStream based authentication on Mono/UbuntuLinux

Sebastien Pouliot sebastien.pouliot at gmail.com
Thu May 26 16:31:40 EDT 2011 

Hello Chirag,

On Thu, 2011-05-26 at 13:17 -0700, Chirag Patel wrote:
> Hi All,
> 
> I am working on migrating my .NET based windows service to mono and linux.
> 
> I am using SslStream and its BeginAuthenticateServer method.
> 
> Exception: The authentication or decryption has failed.
> Inner Exception: Server certificate Private Key unavailable.
> at Mono.Security.Protocol.Tls.Handshake.Server.TlsClientKeyExchange.ProcessAsSsl3
> () [0x00000] in <filename unknown>:0
>   at Mono.Security.Protocol.Tls.Handshake.HandshakeMessage.Process ()
> [0x00000] in <filename unknown>:0
>   at (wrapper remoting-invoke-with-check)
> Mono.Security.Protocol.Tls.Handshake.HandshakeMessage:Process ()
>   at Mono.Security.Protocol.Tls.ServerRecordProtocol.ProcessHandshakeMessage
> (Mono.Security.Protocol.Tls.TlsStream handMsg) [0x00000] in <filename
> unknown>:0
>   at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback
> (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0
> 
> [http://lists.ximian.com/pipermail/mono-list/2007-February/034278.html]
> 
> I see that Sebastien has pointed out using alternate
> Mono.Security.Protocol.Tls.SslServerStream class,
> and its delegate to fetch private key. (because of difference between
> linux vs. windows handling of certs.)

That's an alternative, not the best, but it has quite a bit of source
code using it (e.g. xsp) and is easy to adapt (to whatever source you're
loading the private key from).

> What is next? Just use the server certificate from SslServerStream
> property, and dispose the stream?

No, if you start using SslServerStream then you'll need to use it
completely (forget SslStream).

> And continue using original Microsoft SslStream?

That's another choice and needs a different solution :)

> Or
> I just have to use Mono's SslServerStream and manually write read
> "any/irrelevant" data to proceed with authentication?

No

> I am using PFX file. I did include private key. So, Do I even need to
> use the delegate to load private key separately??
> (How can I debug whether the loaded X509Certificate instance has the
> private key loaded.)
> 
> I have also tried this with a Verisign issued real certificate. But
> since that entire thing including export was done on Windows, I tried
> my code with self-signed (linux - openssl) cert.

Two things comes to mind:

1. make sure Mono can read your PKCS12 file (e.g. load it using
X509Certificate2 and dump its properties). This is important because
Mono's ASN.1 implementation does not support "indefinite length" and
some tools generates them.

2. When using SslStream + PKCS12 also make sure you're using
X509Certificate2 (***2*** not X509Certificate). This will ensure the
private key, if present, will be loaded in memory and will let SslStream
use it.

Sebastien

More information about the Mono-list mailing list