[Mono-list] HttpListener SSL client certificate

Edward Ned Harvey (mono) edward.harvey.mono at clevertrove.com
Thu Aug 7 18:02:55 UTC 2014


> From: mono-list-bounces at lists.ximian.com [mailto:mono-list-
> bounces at lists.ximian.com] On Behalf Of DrGusman
> 
> I thought I was doing something wrong, but after watching the code it's
> clear it is a bug, as I said it has been hardcoded to ask for a client
> certificate, the "false, true, false" parameters at the end SslServerStream

I have a different interpretation - The fact that it's hard-coded like that suggests to me, two things:  (a) nobody else is doing what you're doing, so maybe you should consider changing, just because this code is obviously not widely adopted or maintained for security bugs or other bugs, and (b) You're probably not expected to actually use what you're using.  Surely you're not the first person to serve https via mono; most likely there's something else you're expected to use instead, which would be more robust, more reliable, and/or more secure.

I've described in previous email in this thread, SslStream because we're using it in production - This is something I would naturally expect to be well supported, well maintained, as it is a standard part of both .NET and Mono - but due to bugs we've stepped on and either worked around, or personally patched and lack of response to pull request, and general lack of support as previously described (and we're paying Xamarin customers), we will be abandoning SslStream when we can.  I have to generalize that the mono security code, and in particular the ssl/tls code is not well maintained, probably crashy and possibly even vulnerable.  (I'm going to have to say, probably vulnerable.)

By the sounds of it, the class you're using is even less maintained, and even less likely to get future maintenance than what we've encountered with SslStream.  If you're using it heavily, as we are with SslStream, you might have to do something like we're doing - use it for now, and plan to transition later.  Or maybe you just make it work for now and continue using it indefinitely.

Either way, best of luck to you.   :-)


More information about the Mono-list mailing list