HttpListener SSL client certificate

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

HttpListener SSL client certificate

Agustin Gimenez
I have created a server using HttpListener. It works perfect without SSL, but
with SSL something strange happens.

I have installed the certificate using httpcfg and even with my own program,
it installs correctly, the listener starts and serves HTTPS requests, but
always asks for a client certificate.

It does not happens on Windows/.net, only with Linux/mono (I'm using ver
3.4.0) and is very annoying, I don't want the user to be asked each time he
tries to log in for a client certificate.

Is this a mono bug or is there any way to disable the client certificate
negotiation?

Thanks.




--
View this message in context: http://mono.1490590.n4.nabble.com/HttpListener-SSL-client-certificate-tp4663483.html
Sent from the Mono - General mailing list archive at Nabble.com.
_______________________________________________
Mono-list maillist  -  [hidden email]
http://lists.ximian.com/mailman/listinfo/mono-list
Reply | Threaded
Open this post in threaded view
|

Re: HttpListener SSL client certificate

Edward Ned Harvey (mono)
> From: [hidden email] [mailto:mono-list-
> [hidden email]] On Behalf Of DrGusman
>
> I have installed the certificate using httpcfg and even with my own program,
> it installs correctly, the listener starts and serves HTTPS requests, but
> always asks for a client certificate.
>
> It does not happens on Windows/.net, only with Linux/mono (I'm using ver
> 3.4.0) and is very annoying, I don't want the user to be asked each time he
> tries to log in for a client certificate.

This might be unreleated - or might not - And this might be an additional problem that you haven't discovered yet but will soon - So please be sure to write back here, whatever you discover.

SslStream has a bug as follows:  A mono SslStream server fails to construct a cert chain to send to client.  MS .Net clients will perform heroics and generally succeed at constructing the cert chain locally anyway, but mono SslStream clients don't.  As a result, you can have a Mono SslStream Server fails to connect with a Mono SslStream client.  But as long as either the client or server is MS, then the connection works.

This has a bug in bugzilla, and a patch written, and a pull request waiting for review (for the last 2-3 months).  

Forked repo that has 3.4.0 including patch:
https://github.com/rahvee/mono 

Pull request:
https://github.com/mono/mono/pull/1004

Prebuild packages built from the above forked repo:
https://downloads.conceptblossom.com/mono/ 

_______________________________________________
Mono-list maillist  -  [hidden email]
http://lists.ximian.com/mailman/listinfo/mono-list
Reply | Threaded
Open this post in threaded view
|

Re: HttpListener SSL client certificate

Edward Ned Harvey (mono)
In reply to this post by Agustin Gimenez
> From: [hidden email] [mailto:mono-list-
> [hidden email]] On Behalf Of DrGusman
>
> Is this a mono bug or is there any way to disable the client certificate
> negotiation?

If no obvious super easy solution crops up, please post a really simple example code that reproduces the problem.  Configuring the development environment to step through this code proved surprisingly difficult, but now that I have it, I wouldn't mind taking a look to see if it looks like a bug or something.
_______________________________________________
Mono-list maillist  -  [hidden email]
http://lists.ximian.com/mailman/listinfo/mono-list
Reply | Threaded
Open this post in threaded view
|

Re: HttpListener SSL client certificate

Agustin Gimenez
In reply to this post by Edward Ned Harvey (mono)
No, it's not related (but is good to know), found what happens and had to
modify the mono source for HttpConnection.

Some time ago someone had the brilliant idea to enable client certificate
support, /*and hardcoded it*/

https://groups.google.com/forum/#!topic/mono-svn-patches/FHBT66s39pg

I can understand that someone can want to use client certificates, but not
everybody will (99.99999999% of times will not be used (did I mis some
nines?)), so if this is added it must have a configuration property or
something like that.

Just in case someone is in my same situation, if you are compiling mono from
source as me go to /mcs/class/System/System.Net/HttpConnection.cs and
change:

    SslServerStream ssl_stream = new SslServerStream (new NetworkStream
(sock, false), cert, false, true, false);

for

    SslServerStream ssl_stream = new SslServerStream (new NetworkStream
(sock, false), cert, false, false);

Recompile and voila, you can now use SSL without annoying your users asking
on each connection for a user certificate.

Cheers.



--
View this message in context: http://mono.1490590.n4.nabble.com/HttpListener-SSL-client-certificate-tp4663483p4663487.html
Sent from the Mono - General mailing list archive at Nabble.com.
_______________________________________________
Mono-list maillist  -  [hidden email]
http://lists.ximian.com/mailman/listinfo/mono-list
Reply | Threaded
Open this post in threaded view
|

Re: HttpListener SSL client certificate

Edward Ned Harvey (mono)
In reply to this post by Agustin Gimenez
> From: [hidden email] [mailto:mono-list-
> [hidden email]] On Behalf Of DrGusman
>
> Is this a mono bug or is there any way to disable the client certificate
> negotiation?

It's also a good idea to check the class compatibility pages
http://mono-project.com/Compatibility
particularly
http://go-mono.com/status/

I don't see anything for HttpConnection, but there are several issues identified for HttpListener.
_______________________________________________
Mono-list maillist  -  [hidden email]
http://lists.ximian.com/mailman/listinfo/mono-list
Reply | Threaded
Open this post in threaded view
|

Re: HttpListener SSL client certificate

Agustin Gimenez
Edward Ned Harvey (mono) wrote
>> From:

> mono-list-bounces@.ximian

>  [mailto:mono-list-
>>

> bounces@.ximian

> ] On Behalf Of DrGusman
>>
>> Is this a mono bug or is there any way to disable the client certificate
>> negotiation?
>
> It's also a good idea to check the class compatibility pages
> http://mono-project.com/Compatibility
> particularly
> http://go-mono.com/status/
>
> I don't see anything for HttpConnection, but there are several issues
> identified for HttpListener.
> _______________________________________________
> Mono-list maillist  -  

> Mono-list@.ximian

> http://lists.ximian.com/mailman/listinfo/mono-list

Where did you saw those issues?

I did enter to
http://go-mono.com/status/status.aspx?reference=4.5&profile=4.5&assembly=System.Net
and found nothing.



--
View this message in context: http://mono.1490590.n4.nabble.com/HttpListener-SSL-client-certificate-tp4663483p4663489.html
Sent from the Mono - General mailing list archive at Nabble.com.
_______________________________________________
Mono-list maillist  -  [hidden email]
http://lists.ximian.com/mailman/listinfo/mono-list
Reply | Threaded
Open this post in threaded view
|

Re: HttpListener SSL client certificate

Edward Ned Harvey (mono)
> From: [hidden email] [mailto:mono-list-
> [hidden email]] On Behalf Of DrGusman
>
> I did enter to
> http://go-
> mono.com/status/status.aspx?reference=4.5&profile=4.5&assembly=Syste
> m.Net
> and found nothing.

That's one thing .NET isn't awesome about - the namespace doesn't necessarily match the assembly, and the namespace can be broken across more than one assembly.

HttpListener is in the System assembly, under the System.Net namespace.   Pffft.   So first go to System (instead of System.Net) and then you'll find another System.Net inside it.   ;-)
_______________________________________________
Mono-list maillist  -  [hidden email]
http://lists.ximian.com/mailman/listinfo/mono-list
Reply | Threaded
Open this post in threaded view
|

Re: HttpListener SSL client certificate

Edward Ned Harvey (mono)
In reply to this post by Agustin Gimenez
> From: [hidden email] [mailto:mono-list-
> [hidden email]] On Behalf Of DrGusman
>
> Just in case someone is in my same situation, if you are compiling mono from
> source as me go to /mcs/class/System/System.Net/HttpConnection.cs and
> change:
>
>     SslServerStream ssl_stream = new SslServerStream (new NetworkStream
> (sock, false), cert, false, true, false);
>
> for
>
>     SslServerStream ssl_stream = new SslServerStream (new NetworkStream
> (sock, false), cert, false, false);

I see the source code for that class -
https://github.com/mono/mono/blob/a6dccdaf6dd5f985cc5d53b7764a47bc00b8ec43/mcs/class/System/System.Net/HttpConnection.cs

Is in System / System.Net ...  But I tried to compare it against .NET, and I don't see that class anywhere in .NET.  Do you have a link to that class description in MSDN?  And if it's not a .NET class, if it's something mono specific, maybe you should be doing something different such that you don't care anymore?

Whenever I find something such as this, which is a clear difference between .NET and Mono, sometimes it's a legitimate bug or missing feature, but most of the time it's just a matter of "You're doing something different from what they expected you to do."  Most of the time, you can make some minor change to your code, or how you're doing something, and get back to a state where everything simply works on both platforms.  

So the question is - What is it that you're *actually* trying to do, at a higher level?  (Assuming you didn't actually write code that directly uses HttpConnection)
_______________________________________________
Mono-list maillist  -  [hidden email]
http://lists.ximian.com/mailman/listinfo/mono-list
Reply | Threaded
Open this post in threaded view
|

Re: HttpListener SSL client certificate

Agustin Gimenez
Thanks for pointing where it is, I will take a look.

And the HttpConnection class is specific to mono, .net in Windows uses
http.sys as the underliying mechanism, so it does not handle connections at
all, Mono emulates this using that class (and a lot more :D).

I thought I was doing something wrong, but after watching the code it's
clear it is a bug, as I said it has been hardcoded to ask for a client
certificate, the "false, true, false" parameters at the end SslServerStream
constructor, the true one is for requestClientCertificate, so, the only
option for now is to modify source code as I did (i think?)



--
View this message in context: http://mono.1490590.n4.nabble.com/HttpListener-SSL-client-certificate-tp4663483p4663492.html
Sent from the Mono - General mailing list archive at Nabble.com.
_______________________________________________
Mono-list maillist  -  [hidden email]
http://lists.ximian.com/mailman/listinfo/mono-list
Reply | Threaded
Open this post in threaded view
|

Re: HttpListener SSL client certificate

Edward Ned Harvey (mono)
> From: [hidden email] [mailto:mono-list-
> [hidden email]] On Behalf Of DrGusman
>
> I thought I was doing something wrong, but after watching the code it's
> clear it is a bug, as I said it has been hardcoded to ask for a client
> certificate, the "false, true, false" parameters at the end SslServerStream

I have a different interpretation - The fact that it's hard-coded like that suggests to me, two things:  (a) nobody else is doing what you're doing, so maybe you should consider changing, just because this code is obviously not widely adopted or maintained for security bugs or other bugs, and (b) You're probably not expected to actually use what you're using.  Surely you're not the first person to serve https via mono; most likely there's something else you're expected to use instead, which would be more robust, more reliable, and/or more secure.

I've described in previous email in this thread, SslStream because we're using it in production - This is something I would naturally expect to be well supported, well maintained, as it is a standard part of both .NET and Mono - but due to bugs we've stepped on and either worked around, or personally patched and lack of response to pull request, and general lack of support as previously described (and we're paying Xamarin customers), we will be abandoning SslStream when we can.  I have to generalize that the mono security code, and in particular the ssl/tls code is not well maintained, probably crashy and possibly even vulnerable.  (I'm going to have to say, probably vulnerable.)

By the sounds of it, the class you're using is even less maintained, and even less likely to get future maintenance than what we've encountered with SslStream.  If you're using it heavily, as we are with SslStream, you might have to do something like we're doing - use it for now, and plan to transition later.  Or maybe you just make it work for now and continue using it indefinitely.

Either way, best of luck to you.   :-)
_______________________________________________
Mono-list maillist  -  [hidden email]
http://lists.ximian.com/mailman/listinfo/mono-list
Reply | Threaded
Open this post in threaded view
|

Re: HttpListener SSL client certificate

Agustin Gimenez
Well, what you say makes a lot of sense.

I will add the patches you said on the previous postto my mono branch and
will give it a try, if found it's really unstable or troublesome then I will
use one of my backup plans, add a nginx router which will do the ssl
decryption or using also nginx connect through FastCGI.

I already have FastCGI support to my server (using FastCGi.net) but I prefer
to eliminate the front-end server, I like a lot the idea of having just an
executable dropped on the server and everything is set up and running on
linux or windows.

I hope with the Xamarin boom the mono project get more alive as novell left
it semi abandoned when was sold, the las 3.7 mono version is really a giant
leap and Miguel and it's team seem to be working really hard (I am also a
Xamarin customer, got MT and MD).

I'm curious, what do you plan to do to stop using the SslSocket?



--
View this message in context: http://mono.1490590.n4.nabble.com/HttpListener-SSL-client-certificate-tp4663483p4663496.html
Sent from the Mono - General mailing list archive at Nabble.com.
_______________________________________________
Mono-list maillist  -  [hidden email]
http://lists.ximian.com/mailman/listinfo/mono-list
Reply | Threaded
Open this post in threaded view
|

Re: HttpListener SSL client certificate

Edward Ned Harvey (mono)
> From: [hidden email] [mailto:mono-list-
> [hidden email]] On Behalf Of DrGusman
>
> I will add the patches you said on the previous postto my mono branch and
> will give it a try, if found it's really unstable or troublesome then I will
> use one of my backup plans, add a nginx router which will do the ssl
> decryption or using also nginx connect through FastCGI.

Oh yeah.  I would expect, if you want to run C# on a web server, it's almost certainly best for you to do some of the ASP stuff, fastcgi, or similar.  In other words, let a real web server be the web server, because they're focused on making web servers stable, secure, and supportable.


> I hope with the Xamarin boom the mono project get more alive as novell left
> it semi abandoned when was sold, the las 3.7 mono version is really a giant
> leap and Miguel and it's team seem to be working really hard (I am also a
> Xamarin customer, got MT and MD).

Maybe.  But I'm doubtful.  It seems to me that Xamarin is focused only on mobile devices and basically nothing else.  (Even coverage for mono on OSX is very sparse.)


> I'm curious, what do you plan to do to stop using the SslSocket?

We need to make at least a small research project into that.  I'm guessing it will probably be Bouncy Castle.  Not 100% sure yet.  Perhaps openssl - but since they're really C++ with a crude managed wrapper around it, we might not use openssl for that reason.  Bouncy Castle is at least *meant* to be managed code, but I recently uncovered a kind of major flaw with their SecureRandom, which apparently gets used all over the place, so we'll see.  Like I said, haven't made up our minds yet.
_______________________________________________
Mono-list maillist  -  [hidden email]
http://lists.ximian.com/mailman/listinfo/mono-list
Reply | Threaded
Open this post in threaded view
|

Re: HttpListener SSL client certificate

Chris Tacke
In reply to this post by Agustin Gimenez
“Let a real web server be the web server” isn’t much of an answer.  It’s likely that the solution doesn’t allow the use of a “real” web server or he likely wouldn’t be asking the question. I have a similar scenario where I’m going to need to serve up over SSL and I can’t use one so I, too, am interested in how this will work out.  I’ve probably got a little time until I have to fully commit to a solution, but it sounds like several of us are trying to solve the same problem.

-Chris


From: [hidden email]
Sent: ‎Friday‎, ‎August‎ ‎8‎, ‎2014 ‎9‎:‎28‎ ‎AM
To: [hidden email], [hidden email]

> From: [hidden email] [mailto:mono-list-
> [hidden email]] On Behalf Of DrGusman
>
> I will add the patches you said on the previous postto my mono branch and
> will give it a try, if found it's really unstable or troublesome then I will
> use one of my backup plans, add a nginx router which will do the ssl
> decryption or using also nginx connect through FastCGI.

Oh yeah.  I would expect, if you want to run C# on a web server, it's almost certainly best for you to do some of the ASP stuff, fastcgi, or similar.  In other words, let a real web server be the web server, because they're focused on making web servers stable, secure, and supportable.


> I hope with the Xamarin boom the mono project get more alive as novell left
> it semi abandoned when was sold, the las 3.7 mono version is really a giant
> leap and Miguel and it's team seem to be working really hard (I am also a
> Xamarin customer, got MT and MD).

Maybe.  But I'm doubtful.  It seems to me that Xamarin is focused only on mobile devices and basically nothing else.  (Even coverage for mono on OSX is very sparse.)


> I'm curious, what do you plan to do to stop using the SslSocket?

We need to make at least a small research project into that.  I'm guessing it will probably be Bouncy Castle.  Not 100% sure yet.  Perhaps openssl - but since they're really C++ with a crude managed wrapper around it, we might not use openssl for that reason.  Bouncy Castle is at least *meant* to be managed code, but I recently uncovered a kind of major flaw with their SecureRandom, which apparently gets used all over the place, so we'll see.  Like I said, haven't made up our minds yet.
_______________________________________________
Mono-list maillist  -  [hidden email]
http://lists.ximian.com/mailman/listinfo/mono-list

_______________________________________________
Mono-list maillist  -  [hidden email]
http://lists.ximian.com/mailman/listinfo/mono-list
Reply | Threaded
Open this post in threaded view
|

Re: HttpListener SSL client certificate

Agustin Gimenez
Chris, I have done some tests and Ned is right, SSL is just broken, under
heavy load after some time it gets hung and stops responding, when the
remote side closes the faulted connection it starts working again.

It only happens with SSL, so it must be some bug on the SSL code on
multithreading, also, when working it's slow as hell, when the conection is
first made (not reused by keep-alive) it took at least 2-3 seconds to
complete.

For now I'm using Nginx as reverse proxy to do the https decode and it works
like a charm.

I will investigate further (if I can debug the mono classes) to try solve
it, I have created a fork at https://github.com/gusmanb/mono and will try to
keep it up to date and every finding I do will be pushed there, any
contribution is wellcome. It has for now the client certificate request
disabled, at least if you don't have a high load it works.

It's a shame that something so basic as SSL connections don't work as
expected.





--
View this message in context: http://mono.1490590.n4.nabble.com/HttpListener-SSL-client-certificate-tp4663483p4663508.html
Sent from the Mono - General mailing list archive at Nabble.com.
_______________________________________________
Mono-list maillist  -  [hidden email]
http://lists.ximian.com/mailman/listinfo/mono-list
Reply | Threaded
Open this post in threaded view
|

Re: HttpListener SSL client certificate

Edward Ned Harvey (mono)
> From: [hidden email] [mailto:mono-list-
> [hidden email]] On Behalf Of DrGusman
>
> Chris, I have done some tests and Ned is right, SSL is just broken, under
> heavy load after some time it gets hung and stops responding, when the
> remote side closes the faulted connection it starts working again.

We don't have that problem - We have servers with a whole bunch of clients continuously connecting simultaneously, and both the connection time and the throughput perform well and reliably.  My main concern is the lack of upkeep - mono SslStream doesn't support TLS 1.2, and receives very little development/maintenance attention.


> I will investigate further (if I can debug the mono classes) to try solve
> it, I have created a fork at https://github.com/gusmanb/mono and will try to
> keep it up to date and every finding I do will be pushed there, any
> contribution is wellcome. It has for now the client certificate request
> disabled, at least if you don't have a high load it works.

Hmm...  I mentioned having outstanding pull request that gets no attention...
_______________________________________________
Mono-list maillist  -  [hidden email]
http://lists.ximian.com/mailman/listinfo/mono-list