Hello Loren, > BACKGROUND: I've been using Mono for a couple of projects, one of which is > called LAT (LDAP Administration Tool) [1]. > > I've been trying to get LDAP over SSL to work. I found some sample code > (Samples.SecureBind.cs) written by Sunil Kumar at Novell but I couldn't > get it work on my system. > > I figured out pretty quickly the problem was I needed to use the > certificate manager tool (certmgr) to import the SSL certificate into my > personal store. Once I did that I could make a secure LDAP connection. > > I dug into the certmgr source code to see how it imported certificates > into the store and copied over some chunks into LAT (my code is GPL'd; so > is the certmgr).
Not exactly ;-) For historical reasons (i.e. my previous employer) the security tools were created with a BSD license. But that's not a problem for your GPL application. Just be aware that the certificate store may change format in the future. The safest way to avoid problems is to use the code from the Mono.Security.dll assembly (which is probably what you did by copying the certmgr code into your application). The next version (2.0) of the framework will have better interfaces to deal with certificate stores. > The plan was is if you were making an SSL connection, LAT would check the > store if there was no certificate it would popup a dialog and ask the user > if they wanted to import it. Note that importing the certificate means that _all_ Mono applications will start trusting it. This should be clear in your UI / documentation. If you don't mind I have a suggestion for this (near the end). > If you click on 'Yes' the certificate does get imported into the user's > personal store but the LDAP connection fails. If I exit and re-run the > program it works. The certificate store isn't (and won't be) monitored for changes. This is mostly for performance issues (as adding certificates is a rare operation) and, anyway, there is a (IMHO) better alternative... > Is there some way I can get the Novell.Directory.Ldap classes to use a > freshly imported certificate without requiring a restart? Maybe there is a > better way to do want I want?? > > Anyone got any suggestions? Note: This has been discuted in the past but I don't know if the feature made it into a release of the LDAP library. The SSL client code allows what you want to do (e.g. accepting any certificate) so it is possible to accept it (if the user click yes) and add it to the store (like you're doing). Because this is accepted by your own code you don't need to restart your application. The "tlstest" tool shows how to do this: http://svn.myrealbox.com/source/trunk/mcs/class/Mono.Security/Test/tools/tls test/tlstest.cs The problem is (or was ?) that the LDAP library doesn't expose the SslClientStream instance nor does it (or didn't) provide a similar functionality to accept a certificate. If this is still the case then you should contact the LDAP developers. They have a mailing list available on Novell Forge. So now the suggestion... You should consider to take the FireFox approach: * Yes (always) -> which imports the certificate * Yes (this time only) -> only accept the certificate for this session * No -> cancel the connection (that should be the default) > [1; cheap plug] - http://people.mmgsecurity.com/~lorenb/lat/ Looks nice :) Sebastien Pouliot home: [EMAIL PROTECTED] blog: http://pages.infinit.net/ctech/poupou.html _______________________________________________ Mono-list maillist - [email protected] http://lists.ximian.com/mailman/listinfo/mono-list
