Hi Sebastien and others,
There is still a small issue with webservice client certificates with mono
1.2.5 : it seems not to support SSL re-negotiation.
For example, in my scenario, my Apache server doesn't require client
authentication, except for the "/webservice" location.
So I have something like this in my httpd.conf configuration file :
SSLVerifyClient none<Location /webservice> SSLVerifyClient require</Location>
This kind of configuration causes a SSL security re-negotiation (see
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslverifyclient), and my mono
client webservice test program crashes with the following stack trace :
Unhandled Exception: System.Net.WebException: Error getting response stream
(ReadDone1): ReceiveFailure ---> System.IO.IOException: EndWrite failure --->
System.Net.Sockets.SocketException: The socket has been shut down at
System.Net.Sockets.Socket+SocketAsyncResult.CheckIfThrowDelayedException ()
[0x00000] at System.Net.Sockets.Socket.EndSend (IAsyncResult asyncResult,
System.Net.Sockets.SocketError& errorCode) [0x00000] at
System.Net.Sockets.Socket.EndSend (IAsyncResult result) [0x00000] at
System.Net.Sockets.NetworkStream.EndWrite (IAsyncResult ar) [0x00000] --- End
of inner exception stack trace ---
at System.Net.Sockets.NetworkStream.EndWrite (IAsyncResult ar) [0x00000] at
Mono.Security.Protocol.Tls.RecordProtocol.EndSendRecord (IAsyncResult
asyncResult) [0x00000] at Mono.Security.Protocol.Tls.RecordProtocol.SendRecord
(ContentType contentType, System.Byte[] recordData) [0x00000] at
Mono.Security.Protocol.Tls.RecordProtocol.SendAlert
(Mono.Security.Protocol.Tls.Alert alert) [0x00000] at
Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult
asyncResult) [0x00000] --- End of inner exception stack trace ---
at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult)
[0x00000] at System.Net.HttpWebRequest.GetResponse () [0x00000] at
System.Web.Services.Protocols.WebClientProtocol.GetWebResponse
(System.Net.WebRequest request) [0x00000]
Samuel
> Date: Wed, 23 May 2007 08:09:30 -0400> From: [EMAIL PROTECTED]> Subject: RE:
> [Mono-list] HttpWebRequest and client certificates> To: [EMAIL PROTECTED]>
> CC: [email protected]> > On Wed, 2007-05-23 at 10:39 +0200, Samuel
> CARRIERE wrote:> > > > Bonjour Sebastien,> > > > I just tested the hack, with
> mono-1.2.4.20070521.tar.gz, and it works> > like a charm :)> > Great news!> >
> Thanks for the confirmation,> Sebastien> > > Thank's a lot !> > > > Samuel> >
> > > > Date: Wed, 9 May 2007 13:43:53 -0400> > > From: [EMAIL PROTECTED]> > >
> Subject: Re: [Mono-list] HttpWebRequest and client certificates> > > To:
> [EMAIL PROTECTED]> > > CC: [email protected]> > > > > > Bonjour
> Samuel,> > > > > > I did commit the hack into SVN and it does work with
> XSP(*). Let me> > know> > > if this works, or not, in your web service
> scenario.> > > > > > (*)
> http://www.mono-project.com/UsingClientCertificatesWithXSP> > > wiki page was
> updated to reflect this> > > > > > Sebastien> > > > > > On Mon, 2007-05-07 at
> 13:25 -0400, Sebastien Pouliot wrote:> > > > Bonjour Samuel,> > > > > > > >
> On Wed, 2007-05-02 at 14:29 +0200, Samuel CARRIERE wrote:> > > > > > > > 5
> days to get this email ? I guess/hope you're not subscribed to> > the> > > >
> list.> > > > > > > > > >On Mon, 2007-03-12 at 17:46 +0100, Michal Ziemski
> wrote:> > > > > >> Hi!> > > > > >> > > > > > >> Does HttpWebRequest support
> client certificates in mono?> > > > > >> Th FAQ > > > > > >>> > > > >> >
> (http://www.mono-project.com/FAQ:_Security#Are_SSL_client_certificates_supported_.3F)>
> > > > > >> states it doesn't in 1.1, but might in 2.0> > > > > >> > > > > >
> >> Does it work in 2.0?> > > > > >> > > > > >There as been progress, both for
> the new X509Certificate2 and> > > > > X509Store> > > > > >classes, but the
> HttpWebRequest code hasn't yet been updated.> > This> > > > > part> > > > >
> >is somewhat interlocked with the new SslStream class (2.0) and> > how> > > >
> > we'll> > > > > >provide it. > > > > > >> > > > > >However at this stage it
> may be possible to make a quick hack> > to add> > > > > >client-side
> certificate support for *some* 2.0 apps (depending> > on how> > > > > >the
> certificate is loaded).> > > > > >> > > > > >> > > > > > >> Cheers!> > > > >
> >> Michal Ziemski> > > > > >> > > > > > > > > > > Hi everybody,> > > > > > >
> > > > I am working on a C# mono application that needs client> >
> certificates> > > > > to call a webservice.> > > > > Sebastien, can you
> explain a bit what sort of "quick hack" it> > may be> > > > > possible to
> make, to> > > > > make this following test code work ?> > > > > > > > > >
> static void Main(string[] args)> > > > > {> > > > > // Instanciate webservice
> client> > > > > WSAddition.Addition client = new> >
> testWsSSL.WSAddition.Addition();> > > > > X509Certificate2 Cert = new> > > >
> > X509Certificate2("/my/clientCertificate.p12", "password");> > > > >
> client.ClientCertificates.Add(Cert); > > > > > // Call webservice method> > >
> > > int result = client.add(5,6);> > > > > Console.WriteLine("Result : " +
> result);> > > > > }> > > > > > > > > > Does it require to hack the
> HttpWebRequest class ?> > > > > > > > Yes, but it should be simple. The hack
> is to supply the private> > key> > > > (available from X509Certificate2) to
> the SSL code.> > > > > > > > It would probably take me much longer to set up
> a client and> > server web> > > > service to test it than to implement it.
> However if you open a bug> > > > report (http://bugzilla.ximian.com) with a
> client, working with a> > public> > > > SSL/client certificate web service, I
> should be able to add this> > fairly> > > > quickly.> > > > > > > > > > >
> ______________________________________________________________________> >
> Soyez parmi les premiers à essayer Windows Live Mail. Windows Live> > Mail.>
_________________________________________________________________
Découvrez le blog Messenger Le Meilleur du Web : toutes les vidéos qui buzzent
le plus sur Internet !
http://meilleurduweb.spaces.live.com/_______________________________________________
Mono-list maillist - [email protected]
http://lists.ximian.com/mailman/listinfo/mono-list
