[Mono-list] Private key failure SslStream based authentication on Mono/UbuntuLinux

Chirag Patel patel.chirag.d at gmail.com
Fri May 27 12:49:16 EDT 2011 

Hello Sebastien,

I see some progress. The progress came out of using X509Certificate2
on my linux server.
So, private key exception is gone.

Now I face another problem on client side (on the code that has run
fine on windows for 1 year).
                _sslstream = new SslStream(_tcpclient.GetStream(), false,
                    callback, null);
                _sslstream.AuthenticateAsClient("", _certs, SslProtocols.Ssl3,
                    false);
The application stalls at AuthenticateAsClient. Never goes forward.
And based on Debug output, I see that it has server's Remote
Certificate name mismatch issue.
(I think it has problem identifying server as what the server says it is)

Here's what I tried after that.
I ran my server on windows and linux both to get the Subject of the
certificate on both sides. They were exactly the same.

Could you think of anything else?

I have also included some inline messages out of curiosity.

Thanks

On Thu, May 26, 2011 at 1:31 PM, Sebastien Pouliot
<sebastien.pouliot at gmail.com> wrote:
> Hello Chirag,
>
> On Thu, 2011-05-26 at 13:17 -0700, Chirag Patel wrote:
>> Hi All,
>>
>> I am working on migrating my .NET based windows service to mono and linux.
>>
>> I am using SslStream and its BeginAuthenticateServer method.
>>
>> Exception: The authentication or decryption has failed.
>> Inner Exception: Server certificate Private Key unavailable.
>> at Mono.Security.Protocol.Tls.Handshake.Server.TlsClientKeyExchange.ProcessAsSsl3
>> () [0x00000] in <filename unknown>:0
>>   at Mono.Security.Protocol.Tls.Handshake.HandshakeMessage.Process ()
>> [0x00000] in <filename unknown>:0
>>   at (wrapper remoting-invoke-with-check)
>> Mono.Security.Protocol.Tls.Handshake.HandshakeMessage:Process ()
>>   at Mono.Security.Protocol.Tls.ServerRecordProtocol.ProcessHandshakeMessage
>> (Mono.Security.Protocol.Tls.TlsStream handMsg) [0x00000] in <filename
>> unknown>:0
>>   at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback
>> (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0
>>
>> [http://lists.ximian.com/pipermail/mono-list/2007-February/034278.html]
>>
>> I see that Sebastien has pointed out using alternate
>> Mono.Security.Protocol.Tls.SslServerStream class,
>> and its delegate to fetch private key. (because of difference between
>> linux vs. windows handling of certs.)
>
> That's an alternative, not the best, but it has quite a bit of source
> code using it (e.g. xsp) and is easy to adapt (to whatever source you're
> loading the private key from).
>
>> What is next? Just use the server certificate from SslServerStream
>> property, and dispose the stream?
>
> No, if you start using SslServerStream then you'll need to use it
> completely (forget SslStream).
>
>> And continue using original Microsoft SslStream?
>
> That's another choice and needs a different solution :)
>
>> Or
>> I just have to use Mono's SslServerStream and manually write read
>> "any/irrelevant" data to proceed with authentication?
>
> No
If I were to use SslServerStream, what Logic would replace
SslStream::BeginAuthenticateAsServer?

>
>> I am using PFX file. I did include private key. So, Do I even need to
>> use the delegate to load private key separately??
>> (How can I debug whether the loaded X509Certificate instance has the
>> private key loaded.)
>>
>> I have also tried this with a Verisign issued real certificate. But
>> since that entire thing including export was done on Windows, I tried
>> my code with self-signed (linux - openssl) cert.
>
> Two things comes to mind:
>
> 1. make sure Mono can read your PKCS12 file (e.g. load it using
> X509Certificate2 and dump its properties). This is important because
> Mono's ASN.1 implementation does not support "indefinite length" and
> some tools generates them.
>
> 2. When using SslStream + PKCS12 also make sure you're using
> X509Certificate2 (***2*** not X509Certificate). This will ensure the
> private key, if present, will be loaded in memory and will let SslStream
> use it.
>
I think (2) did solve the problem: Private key unavailable.
I mentioned I load cert from PFX file. I wonder what's the ideal way
to handle certificates in mono+linux?
I see /etc/ssl...but that doesn't provide exact facilities like
microsoft certificate store. I used a tool called XCA on ubuntu, but
it creates its own database file.

> Sebastien
>
>

More information about the Mono-list mailing list