[Fwd: Re: [Mono-dev] HTTPS - MS .NET Client - Linux Mono Server - Interoperability]
--- Begin Message --- On Wed, 2005-09-28 at 14:12, Sebastien Pouliot wrote: > Hello Yngve, > > On Wed, 2005-28-09 at 11:42 +0200, Yngve Zackrisson wrote: > > Hello Sebastien, > > > > Things seems to go better for me, > > great :) > > > but I still have problems > > with my server side (Mono) authentication and decryption. > > I now use a PKCS#12 file on my server side. > > Se below for more info. > > ... > > > > > For the authentication probably an custom channel have to be used. > > > > > > I don't see why this would be required (for client-side certificates) as > > > the authentication is part of the protocol itself. > > > > > > > OK. Maybe I do not need this. > > I just read some articles/samples at msdn about > > .NET Remoting Authentication > > and those articles suggested a custom channel. > > (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndotnet/html/remsspi.asp > > and > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndotnet/html/remsec.asp > > and > > http://msdn.microsoft.com/msdnmag/issues/03/06/NETRemoting/default.aspx > > ). > > The examples was about other forms of authentication (Kerberos etc) > > and encryption so these references may not apply?. > > I don't think you'll need that unless you have some additional (more > than the client certificate) authentication data. > > ... > > > We intend to sign both our server and client certificates > > with our own root CA. > > There is already unix scripts for this using openssl, > > hence the preference for openssl. > > Ok, so you'll have a single root CA signing both your server and client > certificate. This root certificate will have to be in the Mono's Trusted > store on the server. > > ... > > > > > Binary formating shall be used. > > > > > > Was there a specific reason for using https and a binary formatting ? If > > > I understand correctly you'll be supplying your own server software ? so > > > you _could_ use SSL without using HTTP(S). > > > > Firewalls. > > Ok, so it's a port issue (not a protocol issue). > > > > > The server is in house and should be a Linux one. > > > > We use latest version on Mono (1.1.9). > > > > > > Is the server software using Mono.Security.dll ? > > > or is it using (vanilla or custom) XSP ? > > > > Currently Mono.Security.dll. > > > > The intention is to run the services as "Windows services" in Mono, > > if that works. > > Remember that if the Mono service runs under another identity then the > trusted root certificate must either be (a) in that user Trust store or > (b) in the machine Trust store. > > > I have not got into this yet, so we might have to shift. > > Currently I host the remote objects in a console application. > > > > > > > > > The clients are Win32 clients using MS .NET > > > > (v1.0 or v1.1 with SP enough to handle the certificates). > > > > > > > > The clients are not connected all the time, but only during > > > > initialization and zip file transfer. > > > > > > > > The installation on the client side should be as simple as possible > > > > for the clients. > > > > Hence, preferable PKCS#12 client certificates should be used > > > > and it should preferable be stored only in one file or in one store > > > > (Windows store). > > > > > > You'll either have to : > > > > > > (a) write your own glue (p/invokes) if you want Mono.Security.dll to > > > co-exists with Windows certificate stores; > > > > > > (b) completely skip Mono.Security.dll on the client side. I.e. once > > > installed "correctly" the MS runtime should be able to "find" the > > > private key matching the certificate you use in HttpWebRequest. > > > > OK. I have gone for (b). > > > > First I set the ServicePointManager.CertificatePolicy > > to an custom class to detect any certificate errors. > > > > Then I use a DLL from Mentalis (Org.Mentalis.Security.dll) > > to extract the client certificates from the Windows store, > > and then select on the IssuerName. > > Once that done, I use the Mentalis Certificate.ToX509() method > > to convert to X509Certificate(s). > > (See: http://www.mentalis.org/ and > > http://www.mentalis.org/soft/projects/certificates/ ). > > > > Last I create the HttpWebRequest, > > Add the X509Certificate(s) the requests ClientCertificates > > and set the WebResponse to the HttpWebRequest.GetResponse(). > > It seems to work (on the client side). > > No more "Untrusted root", since the certificates > > is in the Windows store now. > > That's ok. > > > Other options for extracting the certificate(s) > > from the Windows store seems to be: > > > > Using CryptoAPI calls: > > http://support.microsoft.com/default.aspx?scid=kb;en-us;895971 > > > > Using a CAPICOM wrapper: > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncapi/html/netcryptoapi.asp > > > > Using WS-Security with the Web Service Developement Kit: > > http://www.codeproject.com/csharp/cryptography.asp > > Yes, they are th
Re: [Fwd: Re: [Mono-dev] HTTPS - MS .NET Client - Linux Mono Server - Interoperability]
Hello Yngve, On Wed, 2005-28-09 at 14:54 +0200, Yngve Zackrisson wrote: ... > > > > Should I add a PKCS#12 cert file to the Mono Store (Machine store) > > > > (mono /.../certmgr.exe -add -c -m Trust server16-cert.p12) > > > > or add only the CA to the trust store > > > > (mono /.../certmgr.exe -add -c -m Trust cacert16t.cer) > > > > or anything else to get rid of this error message?. > > > > > > It must be either the user or machine Trusted store (otherwise you'll > > > get a trust error). > > > > OK. But witch certificate is preferable to add to the store?: > > > > a) mono /.../certmgr.exe -add -c -m Trust server16-cert.p12 > > > > or > > > > b) mono /.../certmgr.exe -add -c -m Trust cacert16t.cer Trust is transitive, i.e. the server will be trusted if it's signer is trusted. So only the self-signed root certificate needs to be added to the Trust store. > > I also have a question about the trust of the root CA certificate. > > The cacert16t.cer above I have created with the following > > openssl commands: > > > > ... > > $ openssl x509 -in cacert16.pem -trustout -setalias "TrustedRootCert" > > -out cacert16t.pem > > > > $ openssl x509 -inform PEM -in cacert16t.pem -outform DER -out > > cacert16t.cer > > > > is the first openssl command necessary since the signed client > > and server certificates, or at least its root CA, > > should be added to the Windows/Mono (Trust) store?. > > > > > > > > Currently I use the cacert16t.pem file as -certfile > > when creating the client and server PKCS#12 files - > > with the openssl pkcs12 command. > > Will the cacert16.pem file be enough? I honestly don't know (without reading the man page myself). I don't use openssl much (for x.509 related stuff) because (a) it's formats aren't the one natively used in .NET and (b) I try to dogfood my own tools ;-) ... > > > Yesterday (after your previous email) I tried to use the MS runtime for > > > client certificate without success (same failure). Somehow MS does > > > something different* because the server can't verify the signature (and > > > it's not a key and/or decryption problem - the hash value is different > > > but the padding is ok). > > > > > > Using IE (with the SSL2 client hello) to do the same turned out another > > > problem, very similar to the bug #76254 reported today. > > > > > > [*] The client certificate testing is done with wget/openssl > > > (linux/cygwin) - which sadly doesn't seems enough :( > > > > Please let me know if you come up with some solution. > > > > I have been working with the HTTPS communication for some 2 months now, > > and my boss is eager to get an solution :-). Please open a bugzilla issue on bugzilla.ximian.com (e.g. "SSL client certificate doesn't work with IE."). That way you'll get notified as soon as (and whenever) I change the bug status. -- Sebastien Pouliot email: [EMAIL PROTECTED] blog: http://pages.infinit.net/ctech/ ___ Mono-devel-list mailing list Mono-devel-list@lists.ximian.com http://lists.ximian.com/mailman/listinfo/mono-devel-list
Re: [Fwd: Re: [Mono-dev] HTTPS - MS .NET Client - Linux Mono Server - Interoperability]
On Wed, 2005-09-28 at 15:20, Sebastien Pouliot wrote: > Hello Yngve, > > On Wed, 2005-28-09 at 14:54 +0200, Yngve Zackrisson wrote: > ... > > > > > Should I add a PKCS#12 cert file to the Mono Store (Machine store) > > > > > (mono /.../certmgr.exe -add -c -m Trust server16-cert.p12) > > > > > or add only the CA to the trust store > > > > > (mono /.../certmgr.exe -add -c -m Trust cacert16t.cer) > > > > > or anything else to get rid of this error message?. > > > > > > > > It must be either the user or machine Trusted store (otherwise you'll > > > > get a trust error). > > > > > > OK. But witch certificate is preferable to add to the store?: > > > > > > a) mono /.../certmgr.exe -add -c -m Trust server16-cert.p12 > > > > > > or > > > > > > b) mono /.../certmgr.exe -add -c -m Trust cacert16t.cer > > Trust is transitive, i.e. the server will be trusted if it's signer is > trusted. So only the self-signed root certificate needs to be added to > the Trust store. I interpret this as b) above is enough. What I was wondering with this question was whether a) would solve the error #-2146762486 (CERT_E_CHAINING problem) on the server. > > > > I also have a question about the trust of the root CA certificate. > > > The cacert16t.cer above I have created with the following > > > openssl commands: > > > > > > ... > > > $ openssl x509 -in cacert16.pem -trustout -setalias "TrustedRootCert" > > > -out cacert16t.pem > > > > > > $ openssl x509 -inform PEM -in cacert16t.pem -outform DER -out > > > cacert16t.cer > > > > > > is the first openssl command necessary since the signed client > > > and server certificates, or at least its root CA, > > > should be added to the Windows/Mono (Trust) store?. > > > > > > > > > > > > Currently I use the cacert16t.pem file as -certfile > > > when creating the client and server PKCS#12 files - > > > with the openssl pkcs12 command. > > > Will the cacert16.pem file be enough? > > I honestly don't know (without reading the man page myself). I don't use > openssl much (for x.509 related stuff) because (a) it's formats aren't > the one natively used in .NET and (b) I try to dogfood my own tools ;-) > > ... > > > > > Yesterday (after your previous email) I tried to use the MS runtime for > > > > client certificate without success (same failure). Somehow MS does > > > > something different* because the server can't verify the signature (and > > > > it's not a key and/or decryption problem - the hash value is different > > > > but the padding is ok). > > > > > > > > Using IE (with the SSL2 client hello) to do the same turned out another > > > > problem, very similar to the bug #76254 reported today. > > > > > > > > [*] The client certificate testing is done with wget/openssl > > > > (linux/cygwin) - which sadly doesn't seems enough :( > > > > > > Please let me know if you come up with some solution. > > > > > > I have been working with the HTTPS communication for some 2 months now, > > > and my boss is eager to get an solution :-). > > Please open a bugzilla issue on bugzilla.ximian.com (e.g. "SSL client > certificate doesn't work with IE."). That way you'll get notified as > soon as (and whenever) I change the bug status. I interpret this as I shall create a new bug in bugzilla for this with a short summary of "SSL client certificate doesn't work with IE.". I will do that, after installing the CA root cert (cacert16t.cer) into the Mono's machines Trust store, and run a new test case for the bug report. Regards Yngve Zackrisson. ___ Mono-devel-list mailing list Mono-devel-list@lists.ximian.com http://lists.ximian.com/mailman/listinfo/mono-devel-list
[Fwd: Re: [Fwd: Re: [Mono-dev] HTTPS - MS .NET Client - Linux Mono Server - Interoperability]]
The bug number in bugzilla for this is 76258. // Yngve Zackrisson. --- Begin Message --- On Wed, 2005-09-28 at 15:20, Sebastien Pouliot wrote: > Hello Yngve, > > On Wed, 2005-28-09 at 14:54 +0200, Yngve Zackrisson wrote: > ... > > > > > Should I add a PKCS#12 cert file to the Mono Store (Machine store) > > > > > (mono /.../certmgr.exe -add -c -m Trust server16-cert.p12) > > > > > or add only the CA to the trust store > > > > > (mono /.../certmgr.exe -add -c -m Trust cacert16t.cer) > > > > > or anything else to get rid of this error message?. > > > > > > > > It must be either the user or machine Trusted store (otherwise you'll > > > > get a trust error). > > > > > > OK. But witch certificate is preferable to add to the store?: > > > > > > a) mono /.../certmgr.exe -add -c -m Trust server16-cert.p12 > > > > > > or > > > > > > b) mono /.../certmgr.exe -add -c -m Trust cacert16t.cer > > Trust is transitive, i.e. the server will be trusted if it's signer is > trusted. So only the self-signed root certificate needs to be added to > the Trust store. I interpret this as b) above is enough. What I was wondering with this question was whether a) would solve the error #-2146762486 (CERT_E_CHAINING problem) on the server. > > > > I also have a question about the trust of the root CA certificate. > > > The cacert16t.cer above I have created with the following > > > openssl commands: > > > > > > ... > > > $ openssl x509 -in cacert16.pem -trustout -setalias "TrustedRootCert" > > > -out cacert16t.pem > > > > > > $ openssl x509 -inform PEM -in cacert16t.pem -outform DER -out > > > cacert16t.cer > > > > > > is the first openssl command necessary since the signed client > > > and server certificates, or at least its root CA, > > > should be added to the Windows/Mono (Trust) store?. > > > > > > > > > > > > Currently I use the cacert16t.pem file as -certfile > > > when creating the client and server PKCS#12 files - > > > with the openssl pkcs12 command. > > > Will the cacert16.pem file be enough? > > I honestly don't know (without reading the man page myself). I don't use > openssl much (for x.509 related stuff) because (a) it's formats aren't > the one natively used in .NET and (b) I try to dogfood my own tools ;-) > > ... > > > > > Yesterday (after your previous email) I tried to use the MS runtime for > > > > client certificate without success (same failure). Somehow MS does > > > > something different* because the server can't verify the signature (and > > > > it's not a key and/or decryption problem - the hash value is different > > > > but the padding is ok). > > > > > > > > Using IE (with the SSL2 client hello) to do the same turned out another > > > > problem, very similar to the bug #76254 reported today. > > > > > > > > [*] The client certificate testing is done with wget/openssl > > > > (linux/cygwin) - which sadly doesn't seems enough :( > > > > > > Please let me know if you come up with some solution. > > > > > > I have been working with the HTTPS communication for some 2 months now, > > > and my boss is eager to get an solution :-). > > Please open a bugzilla issue on bugzilla.ximian.com (e.g. "SSL client > certificate doesn't work with IE."). That way you'll get notified as > soon as (and whenever) I change the bug status. I interpret this as I shall create a new bug in bugzilla for this with a short summary of "SSL client certificate doesn't work with IE.". I will do that, after installing the CA root cert (cacert16t.cer) into the Mono's machines Trust store, and run a new test case for the bug report. Regards Yngve Zackrisson. ___ Mono-devel-list mailing list Mono-devel-list@lists.ximian.com http://lists.ximian.com/mailman/listinfo/mono-devel-list --- End Message --- ___ Mono-devel-list mailing list Mono-devel-list@lists.ximian.com http://lists.ximian.com/mailman/listinfo/mono-devel-list
[Fwd: Re: [Fwd: Re: [Mono-dev] HTTPS - MS .NET Client - Linux Mono Server - Interoperability]]
--- Begin Message --- On Wed, 2005-09-28 at 15:20, Sebastien Pouliot wrote: > Hello Yngve, > > On Wed, 2005-28-09 at 14:54 +0200, Yngve Zackrisson wrote: > ... > > > > > Should I add a PKCS#12 cert file to the Mono Store (Machine store) > > > > > (mono /.../certmgr.exe -add -c -m Trust server16-cert.p12) > > > > > or add only the CA to the trust store > > > > > (mono /.../certmgr.exe -add -c -m Trust cacert16t.cer) > > > > > or anything else to get rid of this error message?. > > > > > > > > It must be either the user or machine Trusted store (otherwise you'll > > > > get a trust error). > > > > > > OK. But witch certificate is preferable to add to the store?: > > > > > > a) mono /.../certmgr.exe -add -c -m Trust server16-cert.p12 > > > > > > or > > > > > > b) mono /.../certmgr.exe -add -c -m Trust cacert16t.cer > > Trust is transitive, i.e. the server will be trusted if it's signer is > trusted. So only the self-signed root certificate needs to be added to > the Trust store. I interpret this as b) above is enough. What I was wondering with this question was whether a) would solve the error #-2146762486 (CERT_E_CHAINING problem) on the server. > > > > I also have a question about the trust of the root CA certificate. > > > The cacert16t.cer above I have created with the following > > > openssl commands: > > > > > > ... > > > $ openssl x509 -in cacert16.pem -trustout -setalias "TrustedRootCert" > > > -out cacert16t.pem > > > > > > $ openssl x509 -inform PEM -in cacert16t.pem -outform DER -out > > > cacert16t.cer > > > > > > is the first openssl command necessary since the signed client > > > and server certificates, or at least its root CA, > > > should be added to the Windows/Mono (Trust) store?. > > > > > > > > > > > > Currently I use the cacert16t.pem file as -certfile > > > when creating the client and server PKCS#12 files - > > > with the openssl pkcs12 command. > > > Will the cacert16.pem file be enough? > > I honestly don't know (without reading the man page myself). I don't use > openssl much (for x.509 related stuff) because (a) it's formats aren't > the one natively used in .NET and (b) I try to dogfood my own tools ;-) > > ... > > > > > Yesterday (after your previous email) I tried to use the MS runtime for > > > > client certificate without success (same failure). Somehow MS does > > > > something different* because the server can't verify the signature (and > > > > it's not a key and/or decryption problem - the hash value is different > > > > but the padding is ok). > > > > > > > > Using IE (with the SSL2 client hello) to do the same turned out another > > > > problem, very similar to the bug #76254 reported today. > > > > > > > > [*] The client certificate testing is done with wget/openssl > > > > (linux/cygwin) - which sadly doesn't seems enough :( > > > > > > Please let me know if you come up with some solution. > > > > > > I have been working with the HTTPS communication for some 2 months now, > > > and my boss is eager to get an solution :-). > > Please open a bugzilla issue on bugzilla.ximian.com (e.g. "SSL client > certificate doesn't work with IE."). That way you'll get notified as > soon as (and whenever) I change the bug status. I interpret this as I shall create a new bug in bugzilla for this with a short summary of "SSL client certificate doesn't work with IE.". I will do that, after installing the CA root cert (cacert16t.cer) into the Mono's machines Trust store, and run a new test case for the bug report. Regards Yngve Zackrisson. --- End Message --- ___ Mono-devel-list mailing list Mono-devel-list@lists.ximian.com http://lists.ximian.com/mailman/listinfo/mono-devel-list
