Quantcast

mkbundle and TLS root certificates/HTTPS requests

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

mkbundle and TLS root certificates/HTTPS requests

John Beshir
Hey, I'm wondering what process mkbundle'd executables on Linux use to find or get CA certificates for validating server certificates, to enable outgoing TLS and HTTPS connections.

And, if these executables don't include bundled certificates automatically, what process should be followed in order to create a mkbundle'd executable that can make HTTPS connections successfully?

I have a problem with a Linux port of a piece of software not being able to establish connections which I believe is due to it lacking the ability to validate connections. It needs to be able to connect to arbitrary servers, so it does need a full set, rather than just a certificate pinning implementation for its own service, which is all I could find existing discussion for.

Unfortunately because I'm not sure what mechanisms already exist here I'm not sure where to start in solving it; some clues would be very helpful. Right now my best thought would be to look at cert-sync's source and duplicate its behaviour, but either answers about that being unnecessary, an existing understood workflow for mkbundle'd software to make HTTPS connections, or a pointer to the key logic in cert-sync to replicate would be very helpful.

_______________________________________________
Mono-devel-list mailing list
[hidden email]
http://lists.dot.net/mailman/listinfo/mono-devel-list
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: mkbundle and TLS root certificates/HTTPS requests

Bernhard Urban via Mono-devel-list
I talked to Miguel, mkbundle currently doesn't have any special handling for CA certificates so Mono would just look in the usual locations.
So that'd be ~/.config/.mono/certs/ and /usr/share/.mono/certs/.

- Alex

> On 26 Apr 2017, at 17:03, John Beshir <[hidden email]> wrote:
>
> Hey, I'm wondering what process mkbundle'd executables on Linux use to find or get CA certificates for validating server certificates, to enable outgoing TLS and HTTPS connections.
>
> And, if these executables don't include bundled certificates automatically, what process should be followed in order to create a mkbundle'd executable that can make HTTPS connections successfully?
>
> I have a problem with a Linux port of a piece of software not being able to establish connections which I believe is due to it lacking the ability to validate connections. It needs to be able to connect to arbitrary servers, so it does need a full set, rather than just a certificate pinning implementation for its own service, which is all I could find existing discussion for.
>
> Unfortunately because I'm not sure what mechanisms already exist here I'm not sure where to start in solving it; some clues would be very helpful. Right now my best thought would be to look at cert-sync's source and duplicate its behaviour, but either answers about that being unnecessary, an existing understood workflow for mkbundle'd software to make HTTPS connections, or a pointer to the key logic in cert-sync to replicate would be very helpful.
> _______________________________________________
> Mono-devel-list mailing list
> [hidden email]
> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.dot.net%2Fmailman%2Flistinfo%2Fmono-devel-list&data=02%7C01%7Calkpli%40microsoft.com%7Cc5f90d69a96f4562aee508d48cb56d3f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636288158243101110&sdata=mj9K4VcjQ%2BjGqDRcuHKAYaIu5OwopS9Op0R7%2FOsQbbM%3D&reserved=0

_______________________________________________
Mono-devel-list mailing list
[hidden email]
http://lists.dot.net/mailman/listinfo/mono-devel-list
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: mkbundle and TLS root certificates/HTTPS requests

Bernhard Urban via Mono-devel-list
Hello,

Another thing we discussed was the possibility of bundling these with the executable.

This would work on platforms that use BoringTLS, not sure about Apple platforms using AppleTLS.

For this to work, I would need a way of registering these certificates at startup.   Martin, is there some way I could do that?

On 5/4/17, 6:46 PM, "Mono-devel-list on behalf of Alexander Köplinger via Mono-devel-list" <[hidden email] on behalf of [hidden email]> wrote:

    I talked to Miguel, mkbundle currently doesn't have any special handling for CA certificates so Mono would just look in the usual locations.
    So that'd be ~/.config/.mono/certs/ and /usr/share/.mono/certs/.
   
    - Alex
   
    > On 26 Apr 2017, at 17:03, John Beshir <[hidden email]> wrote:
    >
    > Hey, I'm wondering what process mkbundle'd executables on Linux use to find or get CA certificates for validating server certificates, to enable outgoing TLS and HTTPS connections.
    >
    > And, if these executables don't include bundled certificates automatically, what process should be followed in order to create a mkbundle'd executable that can make HTTPS connections successfully?
    >
    > I have a problem with a Linux port of a piece of software not being able to establish connections which I believe is due to it lacking the ability to validate connections. It needs to be able to connect to arbitrary servers, so it does need a full set, rather than just a certificate pinning implementation for its own service, which is all I could find existing discussion for.
    >
    > Unfortunately because I'm not sure what mechanisms already exist here I'm not sure where to start in solving it; some clues would be very helpful. Right now my best thought would be to look at cert-sync's source and duplicate its behaviour, but either answers about that being unnecessary, an existing understood workflow for mkbundle'd software to make HTTPS connections, or a pointer to the key logic in cert-sync to replicate would be very helpful.
    > _______________________________________________
    > Mono-devel-list mailing list
    > [hidden email]
    > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.dot.net%2Fmailman%2Flistinfo%2Fmono-devel-list&data=02%7C01%7Calkpli%40microsoft.com%7Cc5f90d69a96f4562aee508d48cb56d3f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636288158243101110&sdata=mj9K4VcjQ%2BjGqDRcuHKAYaIu5OwopS9Op0R7%2FOsQbbM%3D&reserved=0
   
    _______________________________________________
    Mono-devel-list mailing list
    [hidden email]
    https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.dot.net%2Fmailman%2Flistinfo%2Fmono-devel-list&data=02%7C01%7Cmiguel%40microsoft.com%7Cacd597cfbb904de8917208d4933f7232%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636295348097475894&sdata=KQQr9CDhIYVZiGP6T6KUCTLOyxFt7WB5nfTA%2BN0gc7Q%3D&reserved=0
   

_______________________________________________
Mono-devel-list mailing list
[hidden email]
http://lists.dot.net/mailman/listinfo/mono-devel-list
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: mkbundle and TLS root certificates/HTTPS requests

Bernhard Urban via Mono-devel-list
Hello,

I do not think I would want to use the path, I think we might need to go beyond that, we would need a way of “installing” the root certificates from memory, into memory.

As there is no file on disk to point to.

On 5/16/17, 12:12 PM, "Martin Baulig" <[hidden email]> wrote:

    Hey guys,
   
    Most of the code is already there, but we don’t officially support it yet.
   
    You will have to use reflection because MonoTlsSettings.CertificateSearchPaths is
    Internal:  https://github.com/mono/mono/blob/master/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsSettings.cs#L85.
   
    I do not wish to make this property public until the code is finished and we have tests for it.
   
    The code which uses it is here:
    https://github.com/mono/mono/blob/master/mcs/class/System/Mono.Btls/MonoBtlsProvider.cs#L241
   
    We could either hook into that on startup or finish the code and make it public.
   
    Martin
   
    On 5/16/17, 11:09 AM, "Miguel de Icaza" <[hidden email]> wrote:
   
        Hello,
       
        Another thing we discussed was the possibility of bundling these with the executable.
       
        This would work on platforms that use BoringTLS, not sure about Apple platforms using AppleTLS.
       
        For this to work, I would need a way of registering these certificates at startup.   Martin, is there some way I could do that?
       
        On 5/4/17, 6:46 PM, "Mono-devel-list on behalf of Alexander Köplinger via Mono-devel-list" <[hidden email] on behalf of [hidden email]> wrote:
       
            I talked to Miguel, mkbundle currently doesn't have any special handling for CA certificates so Mono would just look in the usual locations.
            So that'd be ~/.config/.mono/certs/ and /usr/share/.mono/certs/.
           
            - Alex
           
            > On 26 Apr 2017, at 17:03, John Beshir <[hidden email]> wrote:
            >
            > Hey, I'm wondering what process mkbundle'd executables on Linux use to find or get CA certificates for validating server certificates, to enable outgoing TLS and HTTPS connections.
            >
            > And, if these executables don't include bundled certificates automatically, what process should be followed in order to create a mkbundle'd executable that can make HTTPS connections successfully?
            >
            > I have a problem with a Linux port of a piece of software not being able to establish connections which I believe is due to it lacking the ability to validate connections. It needs to be able to connect to arbitrary servers, so it does need a full set, rather than just a certificate pinning implementation for its own service, which is all I could find existing discussion for.
            >
            > Unfortunately because I'm not sure what mechanisms already exist here I'm not sure where to start in solving it; some clues would be very helpful. Right now my best thought would be to look at cert-sync's source and duplicate its behaviour, but either answers about that being unnecessary, an existing understood workflow for mkbundle'd software to make HTTPS connections, or a pointer to the key logic in cert-sync to replicate would be very helpful.
            > _______________________________________________
            > Mono-devel-list mailing list
            > [hidden email]
            > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.dot.net%2Fmailman%2Flistinfo%2Fmono-devel-list&data=02%7C01%7Calkpli%40microsoft.com%7Cc5f90d69a96f4562aee508d48cb56d3f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636288158243101110&sdata=mj9K4VcjQ%2BjGqDRcuHKAYaIu5OwopS9Op0R7%2FOsQbbM%3D&reserved=0
           
            _______________________________________________
            Mono-devel-list mailing list
            [hidden email]
            https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.dot.net%2Fmailman%2Flistinfo%2Fmono-devel-list&data=02%7C01%7Cmiguel%40microsoft.com%7Cacd597cfbb904de8917208d4933f7232%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636295348097475894&sdata=KQQr9CDhIYVZiGP6T6KUCTLOyxFt7WB5nfTA%2BN0gc7Q%3D&reserved=0
           
       
       
   
   

_______________________________________________
Mono-devel-list mailing list
[hidden email]
http://lists.dot.net/mailman/listinfo/mono-devel-list
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: mkbundle and TLS root certificates/HTTPS requests

Bernhard Urban via Mono-devel-list
Hello,

We do not really need to optimize for those, we would fetch the file from a resource and call some API at startup that could register it.

We can chat in person – I do not think that there is any urgency to get this done over other things we are doing.

On 5/16/17, 3:05 PM, "Martin Baulig" <[hidden email]> wrote:

    Hey,
   
    It pretty much depends on what you want as there are multiple ways of how “from memory” could be implemented.  Can you give me a few constraints, such as should we optimize for memory usage, startup time, access speed?  Most likely, we will add a new lookup method for this.
   
    Martin
   
    On 5/16/17, 2:27 PM, "Miguel de Icaza" <[hidden email]> wrote:
   
        Hello,
       
        I do not think I would want to use the path, I think we might need to go beyond that, we would need a way of “installing” the root certificates from memory, into memory.
       
        As there is no file on disk to point to.
       
        On 5/16/17, 12:12 PM, "Martin Baulig" <[hidden email]> wrote:
       
            Hey guys,
           
            Most of the code is already there, but we don’t officially support it yet.
           
            You will have to use reflection because MonoTlsSettings.CertificateSearchPaths is
            Internal:  https://github.com/mono/mono/blob/master/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsSettings.cs#L85.
           
            I do not wish to make this property public until the code is finished and we have tests for it.
           
            The code which uses it is here:
            https://github.com/mono/mono/blob/master/mcs/class/System/Mono.Btls/MonoBtlsProvider.cs#L241
           
            We could either hook into that on startup or finish the code and make it public.
           
            Martin
           
            On 5/16/17, 11:09 AM, "Miguel de Icaza" <[hidden email]> wrote:
           
                Hello,
               
                Another thing we discussed was the possibility of bundling these with the executable.
               
                This would work on platforms that use BoringTLS, not sure about Apple platforms using AppleTLS.
               
                For this to work, I would need a way of registering these certificates at startup.   Martin, is there some way I could do that?
               
                On 5/4/17, 6:46 PM, "Mono-devel-list on behalf of Alexander Köplinger via Mono-devel-list" <[hidden email] on behalf of [hidden email]> wrote:
               
                    I talked to Miguel, mkbundle currently doesn't have any special handling for CA certificates so Mono would just look in the usual locations.
                    So that'd be ~/.config/.mono/certs/ and /usr/share/.mono/certs/.
                   
                    - Alex
                   
                    > On 26 Apr 2017, at 17:03, John Beshir <[hidden email]> wrote:
                    >
                    > Hey, I'm wondering what process mkbundle'd executables on Linux use to find or get CA certificates for validating server certificates, to enable outgoing TLS and HTTPS connections.
                    >
                    > And, if these executables don't include bundled certificates automatically, what process should be followed in order to create a mkbundle'd executable that can make HTTPS connections successfully?
                    >
                    > I have a problem with a Linux port of a piece of software not being able to establish connections which I believe is due to it lacking the ability to validate connections. It needs to be able to connect to arbitrary servers, so it does need a full set, rather than just a certificate pinning implementation for its own service, which is all I could find existing discussion for.
                    >
                    > Unfortunately because I'm not sure what mechanisms already exist here I'm not sure where to start in solving it; some clues would be very helpful. Right now my best thought would be to look at cert-sync's source and duplicate its behaviour, but either answers about that being unnecessary, an existing understood workflow for mkbundle'd software to make HTTPS connections, or a pointer to the key logic in cert-sync to replicate would be very helpful.
                    > _______________________________________________
                    > Mono-devel-list mailing list
                    > [hidden email]
                    > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.dot.net%2Fmailman%2Flistinfo%2Fmono-devel-list&data=02%7C01%7Calkpli%40microsoft.com%7Cc5f90d69a96f4562aee508d48cb56d3f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636288158243101110&sdata=mj9K4VcjQ%2BjGqDRcuHKAYaIu5OwopS9Op0R7%2FOsQbbM%3D&reserved=0
                   
                    _______________________________________________
                    Mono-devel-list mailing list
                    [hidden email]
                    https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.dot.net%2Fmailman%2Flistinfo%2Fmono-devel-list&data=02%7C01%7Cmiguel%40microsoft.com%7Cacd597cfbb904de8917208d4933f7232%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636295348097475894&sdata=KQQr9CDhIYVZiGP6T6KUCTLOyxFt7WB5nfTA%2BN0gc7Q%3D&reserved=0
                   
               
               
           
           
       
       
   
   

_______________________________________________
Mono-devel-list mailing list
[hidden email]
http://lists.dot.net/mailman/listinfo/mono-devel-list
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: mkbundle and TLS root certificates/HTTPS requests

Bernhard Urban via Mono-devel-list
In reply to this post by Bernhard Urban via Mono-devel-list
Actually, come to think of it, I think that separating certificates from the binary is a better idea.

That way you can update the certificates on your machine more easily than replacing a binary.

On 5/16/17, 3:05 PM, "Martin Baulig" <[hidden email]> wrote:

    Hey,
   
    It pretty much depends on what you want as there are multiple ways of how “from memory” could be implemented.  Can you give me a few constraints, such as should we optimize for memory usage, startup time, access speed?  Most likely, we will add a new lookup method for this.
   
    Martin
   
    On 5/16/17, 2:27 PM, "Miguel de Icaza" <[hidden email]> wrote:
   
        Hello,
       
        I do not think I would want to use the path, I think we might need to go beyond that, we would need a way of “installing” the root certificates from memory, into memory.
       
        As there is no file on disk to point to.
       
        On 5/16/17, 12:12 PM, "Martin Baulig" <[hidden email]> wrote:
       
            Hey guys,
           
            Most of the code is already there, but we don’t officially support it yet.
           
            You will have to use reflection because MonoTlsSettings.CertificateSearchPaths is
            Internal:  https://github.com/mono/mono/blob/master/mcs/class/Mono.Security/Mono.Security.Interface/MonoTlsSettings.cs#L85.
           
            I do not wish to make this property public until the code is finished and we have tests for it.
           
            The code which uses it is here:
            https://github.com/mono/mono/blob/master/mcs/class/System/Mono.Btls/MonoBtlsProvider.cs#L241
           
            We could either hook into that on startup or finish the code and make it public.
           
            Martin
           
            On 5/16/17, 11:09 AM, "Miguel de Icaza" <[hidden email]> wrote:
           
                Hello,
               
                Another thing we discussed was the possibility of bundling these with the executable.
               
                This would work on platforms that use BoringTLS, not sure about Apple platforms using AppleTLS.
               
                For this to work, I would need a way of registering these certificates at startup.   Martin, is there some way I could do that?
               
                On 5/4/17, 6:46 PM, "Mono-devel-list on behalf of Alexander Köplinger via Mono-devel-list" <[hidden email] on behalf of [hidden email]> wrote:
               
                    I talked to Miguel, mkbundle currently doesn't have any special handling for CA certificates so Mono would just look in the usual locations.
                    So that'd be ~/.config/.mono/certs/ and /usr/share/.mono/certs/.
                   
                    - Alex
                   
                    > On 26 Apr 2017, at 17:03, John Beshir <[hidden email]> wrote:
                    >
                    > Hey, I'm wondering what process mkbundle'd executables on Linux use to find or get CA certificates for validating server certificates, to enable outgoing TLS and HTTPS connections.
                    >
                    > And, if these executables don't include bundled certificates automatically, what process should be followed in order to create a mkbundle'd executable that can make HTTPS connections successfully?
                    >
                    > I have a problem with a Linux port of a piece of software not being able to establish connections which I believe is due to it lacking the ability to validate connections. It needs to be able to connect to arbitrary servers, so it does need a full set, rather than just a certificate pinning implementation for its own service, which is all I could find existing discussion for.
                    >
                    > Unfortunately because I'm not sure what mechanisms already exist here I'm not sure where to start in solving it; some clues would be very helpful. Right now my best thought would be to look at cert-sync's source and duplicate its behaviour, but either answers about that being unnecessary, an existing understood workflow for mkbundle'd software to make HTTPS connections, or a pointer to the key logic in cert-sync to replicate would be very helpful.
                    > _______________________________________________
                    > Mono-devel-list mailing list
                    > [hidden email]
                    > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.dot.net%2Fmailman%2Flistinfo%2Fmono-devel-list&data=02%7C01%7Calkpli%40microsoft.com%7Cc5f90d69a96f4562aee508d48cb56d3f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636288158243101110&sdata=mj9K4VcjQ%2BjGqDRcuHKAYaIu5OwopS9Op0R7%2FOsQbbM%3D&reserved=0
                   
                    _______________________________________________
                    Mono-devel-list mailing list
                    [hidden email]
                    https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.dot.net%2Fmailman%2Flistinfo%2Fmono-devel-list&data=02%7C01%7Cmiguel%40microsoft.com%7Cacd597cfbb904de8917208d4933f7232%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636295348097475894&sdata=KQQr9CDhIYVZiGP6T6KUCTLOyxFt7WB5nfTA%2BN0gc7Q%3D&reserved=0
                   
               
               
           
           
       
       
   
   

_______________________________________________
Mono-devel-list mailing list
[hidden email]
http://lists.dot.net/mailman/listinfo/mono-devel-list
Loading...