Hello Samuel, SSL/TSL renegotiation itself is supported - but I don't recall it being tested with client-side certificates.
Please fill a bug report at bugzilla.novell.com, including a test case and your server configuration. Thanks Sebastien On Tue, 2007-10-23 at 16:58 +0200, Samuel CARRIERE wrote: > Hi Sebastien and others, > > There is still a small issue with webservice client certificates with > mono 1.2.5 : it seems not to support SSL re-negotiation. > For example, in my scenario, my Apache server doesn't require client > authentication, except for the "/webservice" location. > So I have something like this in my httpd.conf configuration file : > > SSLVerifyClient none > <Location /webservice> > SSLVerifyClient require > </Location> > > This kind of configuration causes a SSL security re-negotiation (see > http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslverifyclient), > and my mono client webservice test program crashes with the following > stack trace : > > Unhandled Exception: System.Net.WebException: Error getting response > stream (ReadDone1): ReceiveFailure ---> System.IO.IOException: > EndWrite failure ---> System.Net.Sockets.SocketException: The socket > has been shut down > at System.Net.Sockets.Socket > +SocketAsyncResult.CheckIfThrowDelayedException () [0x00000] > at System.Net.Sockets.Socket.EndSend (IAsyncResult asyncResult, > System.Net.Sockets.SocketError& errorCode) [0x00000] > at System.Net.Sockets.Socket.EndSend (IAsyncResult result) [0x00000] > at System.Net.Sockets.NetworkStream.EndWrite (IAsyncResult ar) > [0x00000] --- End of inner exception stack trace --- > at System.Net.Sockets.NetworkStream.EndWrite (IAsyncResult ar) > [0x00000] > at Mono.Security.Protocol.Tls.RecordProtocol.EndSendRecord > (IAsyncResult asyncResult) [0x00000] > at Mono.Security.Protocol.Tls.RecordProtocol.SendRecord (ContentType > contentType, System.Byte[] recordData) [0x00000] > at Mono.Security.Protocol.Tls.RecordProtocol.SendAlert > (Mono.Security.Protocol.Tls.Alert alert) [0x00000] > at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback > (IAsyncResult asyncResult) [0x00000] --- End of inner exception stack > trace --- > at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult > asyncResult) [0x00000] > at System.Net.HttpWebRequest.GetResponse () [0x00000] > at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse > (System.Net.WebRequest request) [0x00000] > > Samuel > > > > Date: Wed, 23 May 2007 08:09:30 -0400 > > From: [EMAIL PROTECTED] > > Subject: RE: [Mono-list] HttpWebRequest and client certificates > > To: [EMAIL PROTECTED] > > CC: [email protected] > > > > On Wed, 2007-05-23 at 10:39 +0200, Samuel CARRIERE wrote: > > > > > > Bonjour Sebastien, > > > > > > I just tested the hack, with mono-1.2.4.20070521.tar.gz, and it > works > > > like a charm :) > > > > Great news! > > > > Thanks for the confirmation, > > Sebastien > > > > > Thank's a lot ! > > > > > > Samuel > > > > > > > Date: Wed, 9 May 2007 13:43:53 -0400 > > > > From: [EMAIL PROTECTED] > > > > Subject: Re: [Mono-list] HttpWebRequest and client certificates > > > > To: [EMAIL PROTECTED] > > > > CC: [email protected] > > > > > > > > Bonjour Samuel, > > > > > > > > I did commit the hack into SVN and it does work with XSP(*). Let > me > > > know > > > > if this works, or not, in your web service scenario. > > > > > > > > (*) http://www.mono-project.com/UsingClientCertificatesWithXSP > > > > wiki page was updated to reflect this > > > > > > > > Sebastien > > > > > > > > On Mon, 2007-05-07 at 13:25 -0400, Sebastien Pouliot wrote: > > > > > Bonjour Samuel, > > > > > > > > > > On Wed, 2007-05-02 at 14:29 +0200, Samuel CARRIERE wrote: > > > > > > > > > > 5 days to get this email ? I guess/hope you're not subscribed > to > > > the > > > > > list. > > > > > > > > > > > >On Mon, 2007-03-12 at 17:46 +0100, Michal Ziemski wrote: > > > > > > >> Hi! > > > > > > >> > > > > > > >> Does HttpWebRequest support client certificates in mono? > > > > > > >> Th FAQ > > > > > > >> > > > > > > > > > > (http://www.mono-project.com/FAQ:_Security#Are_SSL_client_certificates_supported_.3F) > > > > > > >> states it doesn't in 1.1, but might in 2.0 > > > > > > >> > > > > > > >> Does it work in 2.0? > > > > > > > > > > > > > >There as been progress, both for the new X509Certificate2 > and > > > > > > X509Store > > > > > > >classes, but the HttpWebRequest code hasn't yet been > updated. > > > This > > > > > > part > > > > > > >is somewhat interlocked with the new SslStream class (2.0) > and > > > how > > > > > > we'll > > > > > > >provide it. > > > > > > > > > > > > > >However at this stage it may be possible to make a quick > hack > > > to add > > > > > > >client-side certificate support for *some* 2.0 apps > (depending > > > on how > > > > > > >the certificate is loaded). > > > > > > > > > > > > > >> > > > > > > >> Cheers! > > > > > > >> Michal Ziemski > > > > > > >> > > > > > > > > > > > > Hi everybody, > > > > > > > > > > > > I am working on a C# mono application that needs client > > > certificates > > > > > > to call a webservice. > > > > > > Sebastien, can you explain a bit what sort of "quick hack" > it > > > may be > > > > > > possible to make, to > > > > > > make this following test code work ? > > > > > > > > > > > > static void Main(string[] args) > > > > > > { > > > > > > // Instanciate webservice client > > > > > > WSAddition.Addition client = new > > > testWsSSL.WSAddition.Addition(); > > > > > > X509Certificate2 Cert = new > > > > > > X509Certificate2("/my/clientCertificate.p12", "password"); > > > > > > client.ClientCertificates.Add(Cert); > > > > > > // Call webservice method > > > > > > int result = client.add(5,6); > > > > > > Console.WriteLine("Result : " + result); > > > > > > } > > > > > > > > > > > > Does it require to hack the HttpWebRequest class ? > > > > > > > > > > Yes, but it should be simple. The hack is to supply the > private > > > key > > > > > (available from X509Certificate2) to the SSL code. > > > > > > > > > > It would probably take me much longer to set up a client and > > > server web > > > > > service to test it than to implement it. However if you open a > bug > > > > > report (http://bugzilla.ximian.com) with a client, working > with a > > > public > > > > > SSL/client certificate web service, I should be able to add > this > > > fairly > > > > > quickly. > > > > > > > > > > > > > > > > > ______________________________________________________________________ > > > Soyez parmi les premiers à essayer Windows Live Mail. Windows Live > > > Mail. > > > > > > ______________________________________________________________________ > Besoin d'un e-mail ? Créez gratuitement un compte Windows Live Hotmail > et bénéficiez d'un filtre antispam gratuit ! Windows Live Hotmail _______________________________________________ Mono-list maillist - [email protected] http://lists.ximian.com/mailman/listinfo/mono-list
