[Mono-list] basichttpbinding with client certificates not working - alternatives?

Edward Ned Harvey (mono) edward.harvey.mono at clevertrove.com
Fri Nov 6 21:04:30 UTC 2015 

> From: mono-list-bounces at lists.ximian.com [mailto:mono-list-
> bounces at lists.ximian.com] On Behalf Of Darkness
> 
> Regarding the win-win, mono-mono, ... client server options, this case would
> be a service on linux+mono with clients on .Net/windows.

Right now, today, there's a problem with mono SslStream operating as a server. I don't know precisely what class you're using as a listener - if there's something like HttpListener (or whatever) that exists at a higher level, it may not use SslStream under the hood. It may use some other OS-provided libraries. This is why I suggest being specific and asking on the dev list, where they know those details.

If whatever you're doing is indeed using SslStream under the hood, and you want to use a standard SSL cert, signed by an intermediate CA, the current release of SslStream is broken. It doesn't distribute the chain to the clients, which means, any client that has already cached that intermediate from a previous connection will mask the problem - connect fine without exposing a problem to you. But any new clients that require the chain will display invalid cert warnings on the site.

(Again, ask on the dev list) there are two workarounds that I'm aware of. I hacked up a version of mono to support a single intermediate. It's hacky. And very likely will fail to do the client cert authentication that you're seeking. There are some very old mono bindings for openssl - so old I wasn't comfortable considering it possible - but maybe you'd like to consider that option. And there's Eidos secure blackbox, which is a commercial product.

Or run a windows server. Or wait till mono has it fixed. (Martin currently working on it).

Martin, Sebastian, Miguel, or someone else, might tell you you don't need a 3rd party library, if you just follow some particular process that I don't know. Or they might suggest using one that I'm not aware of.

I'm on that list too, and I look forward to learning whatever you uncover. Good luck.

More information about the Mono-list mailing list