Re: [Mono-dev] mkbundle and TLS root certificates/HTTPS requests

2017-05-16 Thread Miguel de Icaza via Mono-devel-list 
Hello,

I do not think I would want to use the path, I think we might need to go beyond 
that, we would need a way of “installing” the root certificates from memory, 
into memory.

As there is no file on disk to point to.

On 5/16/17, 12:12 PM, "Martin Baulig"  wrote:

Hey guys,

Most of the code is already there, but we don’t officially support it yet.

You will have to use reflection because 
MonoTlsSettings.CertificateSearchPaths is
Internal:  
https://github.com/mono/mono/blob/master/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsSettings.cs#L85.

I do not wish to make this property public until the code is finished and 
we have tests for it.

The code which uses it is here:

https://github.com/mono/mono/blob/master/mcs/class/System/Mono.Btls/MonoBtlsProvider.cs#L241

We could either hook into that on startup or finish the code and make it 
public.

Martin

On 5/16/17, 11:09 AM, "Miguel de Icaza"  wrote:

Hello,

Another thing we discussed was the possibility of bundling these with 
the executable.

This would work on platforms that use BoringTLS, not sure about Apple 
platforms using AppleTLS.

For this to work, I would need a way of registering these certificates 
at startup.   Martin, is there some way I could do that?

On 5/4/17, 6:46 PM, "Mono-devel-list on behalf of Alexander Köplinger 
via Mono-devel-list"  wrote:

I talked to Miguel, mkbundle currently doesn't have any special 
handling for CA certificates so Mono would just look in the usual locations.
So that'd be ~/.config/.mono/certs/ and /usr/share/.mono/certs/.

- Alex

> On 26 Apr 2017, at 17:03, John Beshir  wrote:
> 
> Hey, I'm wondering what process mkbundle'd executables on Linux 
use to find or get CA certificates for validating server certificates, to 
enable outgoing TLS and HTTPS connections.
> 
> And, if these executables don't include bundled certificates 
automatically, what process should be followed in order to create a mkbundle'd 
executable that can make HTTPS connections successfully?
> 
> I have a problem with a Linux port of a piece of software not 
being able to establish connections which I believe is due to it lacking the 
ability to validate connections. It needs to be able to connect to arbitrary 
servers, so it does need a full set, rather than just a certificate pinning 
implementation for its own service, which is all I could find existing 
discussion for.
> 
> Unfortunately because I'm not sure what mechanisms already exist 
here I'm not sure where to start in solving it; some clues would be very 
helpful. Right now my best thought would be to look at cert-sync's source and 
duplicate its behaviour, but either answers about that being unnecessary, an 
existing understood workflow for mkbundle'd software to make HTTPS connections, 
or a pointer to the key logic in cert-sync to replicate would be very helpful.
> ___
> Mono-devel-list mailing list
> Mono-devel-list@lists.dot.net
> 
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.dot.net%2Fmailman%2Flistinfo%2Fmono-devel-list=02%7C01%7Calkpli%40microsoft.com%7Cc5f90d69a96f4562aee508d48cb56d3f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636288158243101110=mj9K4VcjQ%2BjGqDRcuHKAYaIu5OwopS9Op0R7%2FOsQbbM%3D=0

___
Mono-devel-list mailing list
Mono-devel-list@lists.dot.net

https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.dot.net%2Fmailman%2Flistinfo%2Fmono-devel-list=02%7C01%7Cmiguel%40microsoft.com%7Cacd597cfbb904de8917208d4933f7232%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636295348097475894=KQQr9CDhIYVZiGP6T6KUCTLOyxFt7WB5nfTA%2BN0gc7Q%3D=0






___
Mono-devel-list mailing list
Mono-devel-list@lists.dot.net
http://lists.dot.net/mailman/listinfo/mono-devel-list

[Mono-dev] mkbundle and TLS root certificates/HTTPS requests

2017-04-26 Thread John Beshir 
Hey, I'm wondering what process mkbundle'd executables on Linux use to find
or get CA certificates for validating server certificates, to enable
outgoing TLS and HTTPS connections.

And, if these executables don't include bundled certificates automatically,
what process should be followed in order to create a mkbundle'd executable
that can make HTTPS connections successfully?

I have a problem with a Linux port of a piece of software not being able to
establish connections which I believe is due to it lacking the ability to
validate connections. It needs to be able to connect to arbitrary servers,
so it does need a full set, rather than just a certificate pinning
implementation for its own service, which is all I could find existing
discussion for.

Unfortunately because I'm not sure what mechanisms already exist here I'm
not sure where to start in solving it; some clues would be very helpful.
Right now my best thought would be to look at cert-sync's source and
duplicate its behaviour, but either answers about that being unnecessary,
an existing understood workflow for mkbundle'd software to make HTTPS
connections, or a pointer to the key logic in cert-sync to replicate would
be very helpful.
___
Mono-devel-list mailing list
Mono-devel-list@lists.dot.net
http://lists.dot.net/mailman/listinfo/mono-devel-list