Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Mono HttpListener client certificate

Tags:

c#

ssl

mono

httplistener

I have created a server using HttpListener. It works perfect without SSL, but with SSL something strange happens.

I have installed the certificate using httpcfg and even with my own program, it installs correctly, the listener starts and serves HTTPS requests, but always asks for a client certificate.

It does not happens on Windows/.net, only with Linux/mono (I'm using ver 3.4.0) and is very annoying, I don't want the user to be asked each time he tries to log in for a client certificate.

Is this a mono bug or is there any way to disable the client certificate negotiation?

Thanks.

like image 602
Gusman Avatar asked Aug 06 '14 22:08

Gusman

People also ask

Where can I get a client certificate?

In Chrome, go to Settings. On the Settings page, below Default browser, click Show advanced settings. Under HTTPS/SSL, click Manage certificates. In the Certificates window, on the Personal tab, you should see your Client Certificate.

Does client need TLS certificate?

Typically, when a client computer accesses a web server using TLS, only the server is required to present a certificate for the client computer to verify. However, it is possible to configure a TLS protocol to check both the server AND client certificate in a process called mutual TLS.

Video Answer

1 Answers

I'm having the same problem. What I've discovered is that this is hardcoded in Mono. In mcs/class/System/System.Net/HttpConnection.cs, when the constructor of SslServerStream is called, you will notice that the requestClientCertificate is hardcoded to true.

I came across this PR that attempts to change this hardcoded value to false, however it's currently semi-rejected due to "I rather not change one hardcoded value for another hardcoded value."

[Update] And I just now realized you (OP) are the author of the PR :)

[Update 9/21/2016] It looks like this question is still getting hits. If it is helpful to anyone, we went with nginx as a reverse proxy a long time ago when we could not resolve this issue. I'm glad we did, and should have done it sooner. It is much faster than Mono for handling the SSL/TLS, and allows us to more carefully control the crypto suites and keep up to date with security patches.

I'm keeping an eye on Mono 4.6, which has yet to release. With their overhaul of TLS and the ability to plug in alternate implementations at runtime this might give us a path forward without using nginx reverse proxy.

like image 180
BrandonLWhite Avatar answered Sep 20 '22 11:09

BrandonLWhite
Sign in to Comment

Related questions

Correlating IComMethodEvents
Localization for security identity in .NET
Stackoverflow style URL (customising outgoing URL)
Get Stack Overflow questions with Stacky API
SqlConnection and avoiding promotion to MSDTC
Using OData in webapi for properties known only at runtime
How to get an IntPtr to a struct?
How to get session value using javascript
How to add rdlc file to ReportViewer in WPF projects
How to expose nullable types via COM
Start async operations, then await later
Task not garbage collected
Single quoted string to uint in c# [duplicate]
Exception - Stack trace line number and message do not match
Shellsort, 2.48^(k-1) vs Tokuda's sequence
Persistance ID's and Domain Model Entities
How do I detect multi-threaded use?
Per-Route authentication is causing RouteExecutionEarlyExitException
Fastest way to insert 1 million rows in SQL Server [duplicate]
Save and Load data "the MVVM" way?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!