[Mono-list] Linux Cert Store / More problems

Ken Bass kbass at kenbass.com
Sun Jan 15 17:36:19 UTC 2012

On 01/14/2012 05:17 PM, Ken Bass wrote:
> 2) When the program runs it first does a lookup based on the subject 
> name. If the key exists, it is used, rather than having to regenerate 
> one every time the program runs.
> On Windows HasPrivateKey returns True
> On Linux it returns False.
> I am thinking this is why when I'm trying to use this key as the 
> server side on an SSL, under Linux, I get a

1) After debugging this some more, it appears the problem is twofold.

  a) For Linux/Mono I cannot use the X509Store. I am creating a PKCS12 
certificate programmatically. For private key password, I am leaving it 
as null.
Saving it to the X509Store results in a .cer file with no private key. 
That info appears to be lost.

   b) So instead, I saved using PKCS12.SaveToFile(), it saves a .p12 
that is unusable. If you try to read it back, the HasPrivateKey is false.

   The only way to get this to work was to specify a private key 
password and then reading it back, which results in HasPrivateKey is 
true. Without doing this,
I get the ' Server certificate Private Key unavailable.'

> Unknown exception: System.IO.IOException: The authentication or 
> decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: 
> Incorrect protocol version received from server

2) This seems to be caused by the client attempting TLS, but only Ssl3 
is passed to AuthenticateAsServer. The code I am porting works fine 
under .NET. If AuthenticateAsServer is told to only
accept ssl3, shouldn't it simply ignore other protocols rather than 
throwing an exception? Since the same code works on .NET, I'm thinking 
Mono is behaving differently.

Looking at http://msdn.microsoft.com/en-us/library/ms145065.aspx, I do 
not see any mention of a 'Incorrect protocol version'. Another bug?

Moving on...

3) Once I got past these two issues, the next layer of the onion is that 
AuthenticateAsServer does not appear to return until the client writes 
something to the socket. The existing code that works under .NET
assuming the AuthenticateAsServer call returns when the client connects. 
The server side then writes something to the socket like 'Hello, who are 
you?'. Since the client is not the first to write, we are basically 
stuck in  AuthenticateAsServer. It would appear that getting this to 
work would require changing the application protocol?

More information about the Mono-list mailing list