Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Mono HttpListener client certificate

I have created a server using HttpListener. It works perfect without SSL, but with SSL something strange happens.

I have installed the certificate using httpcfg and even with my own program, it installs correctly, the listener starts and serves HTTPS requests, but always asks for a client certificate.

It does not happens on Windows/.net, only with Linux/mono (I'm using ver 3.4.0) and is very annoying, I don't want the user to be asked each time he tries to log in for a client certificate.

Is this a mono bug or is there any way to disable the client certificate negotiation?

Thanks.

like image 602
Gusman Avatar asked Aug 06 '14 22:08

Gusman


People also ask

Where can I get a client certificate?

In Chrome, go to Settings. On the Settings page, below Default browser, click Show advanced settings. Under HTTPS/SSL, click Manage certificates. In the Certificates window, on the Personal tab, you should see your Client Certificate.

Does client need TLS certificate?

Typically, when a client computer accesses a web server using TLS, only the server is required to present a certificate for the client computer to verify. However, it is possible to configure a TLS protocol to check both the server AND client certificate in a process called mutual TLS.


Video Answer


1 Answers

I'm having the same problem. What I've discovered is that this is hardcoded in Mono. In mcs/class/System/System.Net/HttpConnection.cs, when the constructor of SslServerStream is called, you will notice that the requestClientCertificate is hardcoded to true.

I came across this PR that attempts to change this hardcoded value to false, however it's currently semi-rejected due to "I rather not change one hardcoded value for another hardcoded value."

[Update] And I just now realized you (OP) are the author of the PR :)

[Update 9/21/2016] It looks like this question is still getting hits. If it is helpful to anyone, we went with nginx as a reverse proxy a long time ago when we could not resolve this issue. I'm glad we did, and should have done it sooner. It is much faster than Mono for handling the SSL/TLS, and allows us to more carefully control the crypto suites and keep up to date with security patches.

I'm keeping an eye on Mono 4.6, which has yet to release. With their overhaul of TLS and the ability to plug in alternate implementations at runtime this might give us a path forward without using nginx reverse proxy.

like image 180
BrandonLWhite Avatar answered Sep 20 '22 11:09

BrandonLWhite