Hi Sebastian, I ran mozroots as myself but with the -m switch to install into the machine store. Of course I did run it with "sudo" so it's technically owned by root:root. I don't believe it's a permissions problem because a) this worked fine somewhere along the 2.4.x line, b) others seem to be experiencing this as a recent regression as evidenced by this http://bit.ly/bjxgHT, and c) I'm *pretty* sure the apache user has the necessary rights to read the certs - ugo all have the "r" flag set through the entire directory structure to the certs (/usr/share/.mono/certs/*), unfortunately I couldn't verify for sure because when I switch user from root to apache I get "This account is currently not available.".
-Abe On Mon, Jul 12, 2010 at 1:43 PM, Sebastien Pouliot <[email protected]> wrote: > On Sat, 2010-07-10 at 13:44 -0400, Abe Gillespie wrote: >> sberryman, Jan, >> >> Thanks for the help, guys. I did try this as I've used this >> work-around before and I *thought* it wasn't working as well. But I >> just had another try and it worked fine. >> >> Now, is there a safe way to implement this work-around? > > Not really - otherwise there would be no gain (just pain) in verifying > the certificate chain ;-) > >> I'm not much >> of a security wonk, so what can I check in the cert to accept only >> Google's? I see properties like Issuer, Thumbprint, and >> GetRawCertData. > >> Can I use any of these to verify, or at least do >> slightly more than "return true" for all certs? > > You can check the thumbprint (it's a hash) but that will stop working > when Google updates its certificate or if it use more than one > certificate (e.g. on different servers). > > Now (from the bug report) it looks like you have permission issues when > executing code from apache (likely it can't read the certificates). See > my comment there... > >> Thanks. >> -Abe >> >> On Fri, Jul 9, 2010 at 10:06 PM, sberryman <[email protected]> wrote: >> > >> > You could always use the ServicePointManager to accept all SSL certs. >> > Security risk but I've used it in the past when I've had problems with Mono >> > and SSL certs. >> > >> > Simply add the following delegate before you send the email. >> > >> > ServicePointManager.ServerCertificateValidationCallback = delegate(object >> > sender, System.Security.Cryptography.X509Certificates.X509Certificate >> > certificate, System.Security.Cryptography.X509Certificates.X509Chain chain, >> > System.Net.Security.SslPolicyErrors sslPolicyErrors) >> > { >> > return true; >> > }; >> > >> > -- >> > View this message in context: >> > http://mono.1490590.n4.nabble.com/Preview-2-6-6-tp2279971p2284277.html >> > Sent from the Mono - General mailing list archive at Nabble.com. >> > _______________________________________________ >> > Mono-list maillist - [email protected] >> > http://lists.ximian.com/mailman/listinfo/mono-list >> > >> _______________________________________________ >> Mono-list maillist - [email protected] >> http://lists.ximian.com/mailman/listinfo/mono-list > > > _______________________________________________ Mono-list maillist - [email protected] http://lists.ximian.com/mailman/listinfo/mono-list
