[Mono-list] Mono SSL server fails to send intermediate to client

Edward Ned Harvey (mono) edward.harvey.mono at clevertrove.com
Sat Apr 26 00:35:20 UTC 2014


> From: mono-list-bounces at lists.ximian.com [mailto:mono-list-
> bounces at lists.ximian.com] On Behalf Of Edward Ned Harvey (mono)
> 
> My second commit, "automatically build intermediates" will capture the chain
> at the time of pkcs12 import, automatically store the intermediates in
> IntermediatCACertificates, and correctly reconstruct the chain later. 

Oh - a really important detail about this - It is necessary to have done mozroots first (or at least import the root CA for your chain).  Because if you don't trust the root CA of *your own chain*, then no matter what, X509Chain will never construct a complete chain, and therefore will never import any intermediates into the IntermediateCACertificates store, and therefore your server will serve an incomplete chain to clients.

I thought about automatically importing the root CA from the chain that the user is building while they are instantiating their server...  Only long enough to imagine Satan laughing and children being eaten by large predators.  (Make no mistake, that would be a horrible idea.)  But there *is* some ground to be gained, maybe.  If the user decides to instantiate a server with an untrusted chain (doesn't trust itself) then clearly, the user is doing something wrong.  It would be nice to notify them somehow, but the only thing I can think of is to throw an exception, which might be even more ungraceful than silently going into operation with an incomplete chain.

Can there exist some sort of compromise?  A way to notify the user that they're probably doing something wrong, without excepting and tanking the application?  I could imagine, maybe sometimes you'll successfully get notification to them, by doing Console.Error.WriteLine, or Trace.WriteLine.  But there are an awful lot of situations where those are not applicable, and I don't know what the behavior is to call those when, for example, you have no console.


More information about the Mono-list mailing list