[Mono-list] Linux Cert Store / More problems
Ken Bass
kbass at kenbass.com
Sun Jan 15 17:36:19 UTC 2012
On 01/14/2012 05:17 PM, Ken Bass wrote:
>
> 2) When the program runs it first does a lookup based on the subject
> name. If the key exists, it is used, rather than having to regenerate
> one every time the program runs.
>
> On Windows HasPrivateKey returns True
>
> On Linux it returns False.
>
> I am thinking this is why when I'm trying to use this key as the
> server side on an SSL, under Linux, I get a
1) After debugging this some more, it appears the problem is twofold.
a) For Linux/Mono I cannot use the X509Store. I am creating a PKCS12
certificate programmatically. For private key password, I am leaving it
as null.
Saving it to the X509Store results in a .cer file with no private key.
That info appears to be lost.
b) So instead, I saved using PKCS12.SaveToFile(), it saves a .p12
that is unusable. If you try to read it back, the HasPrivateKey is false.
The only way to get this to work was to specify a private key
password and then reading it back, which results in HasPrivateKey is
true. Without doing this,
I get the ' Server certificate Private Key unavailable.'
>
> Unknown exception: System.IO.IOException: The authentication or
> decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException:
> Incorrect protocol version received from server
>
2) This seems to be caused by the client attempting TLS, but only Ssl3
is passed to AuthenticateAsServer. The code I am porting works fine
under .NET. If AuthenticateAsServer is told to only
accept ssl3, shouldn't it simply ignore other protocols rather than
throwing an exception? Since the same code works on .NET, I'm thinking
Mono is behaving differently.
Looking at http://msdn.microsoft.com/en-us/library/ms145065.aspx, I do
not see any mention of a 'Incorrect protocol version'. Another bug?
Moving on...
3) Once I got past these two issues, the next layer of the onion is that
AuthenticateAsServer does not appear to return until the client writes
something to the socket. The existing code that works under .NET
assuming the AuthenticateAsServer call returns when the client connects.
The server side then writes something to the socket like 'Hello, who are
you?'. Since the client is not the first to write, we are basically
stuck in AuthenticateAsServer. It would appear that getting this to
work would require changing the application protocol?
More information about the Mono-list
mailing list