[Mono-list] basichttpbinding with client certificates not working - alternatives?

Edward Ned Harvey (mono) edward.harvey.mono at clevertrove.com
Thu Nov 5 20:51:53 UTC 2015


> From: mono-list-bounces at lists.ximian.com [mailto:mono-list-
> bounces at lists.ximian.com] On Behalf Of Darkness
> 
> Transport security is working fine with basicHttpBinding, but when I set the
> transport client credential type to certificate, the client authentication
> does not seem to work on mono. (all certificates are in place)

There is a bunch of stuff related to SSL and TLS that is broken, and currently under development. I suspect you're probably bumping into it. I suggest you re-post your question to the mono-dev list - but first look at the archives and look for recent posts from Martin Baulig, on Nov 3 and Oct 26. Also see Miguel's blog post http://tirania.org/blog/archive/2015/Aug-27.html

There are a different set of compatibility issues depending on whether your server is mono and client is windows, or server is windows and client is mono, or win-win, or mono-mono. So be specific about precisely what platform your clients & servers are running.

There are additionally some compatibility problems, with mono servers serving SSL cert chains for real valid certs. I think it works if the server cert is signed directly by the CA root - which never happens unless you are the CA. I had to hack the mono server in order to make it work with a single intermediate, but then it works *only* with a single intermediate (doesn't work if directly signed by root, or if signed by 2 intermediates).

All of the issues I'm talking about are even more basic than what you're asking. I'm talking about simply establishing a standard, common, TLS channel. Your question involving client authentication with certs is even more advanced, even more likely to be broken.

I say ask on the mono-dev list, not only because you're most likely to get your answers there - You might also get suggestions such as "use eidos secure blackbox as an alternative."

Good luck.


More information about the Mono-list mailing list