10

I have created a server using HttpListener. It works perfect without SSL, but with SSL something strange happens.

I have installed the certificate using httpcfg and even with my own program, it installs correctly, the listener starts and serves HTTPS requests, but always asks for a client certificate.

It does not happens on Windows/.net, only with Linux/mono (I'm using ver 3.4.0) and is very annoying, I don't want the user to be asked each time he tries to log in for a client certificate.

Is this a mono bug or is there any way to disable the client certificate negotiation?

Thanks.

Gusman
  • 14,905
  • 2
  • 34
  • 50

2 Answers2

4

I'm having the same problem. What I've discovered is that this is hardcoded in Mono. In mcs/class/System/System.Net/HttpConnection.cs, when the constructor of SslServerStream is called, you will notice that the requestClientCertificate is hardcoded to true.

I came across this PR that attempts to change this hardcoded value to false, however it's currently semi-rejected due to "I rather not change one hardcoded value for another hardcoded value."

[Update] And I just now realized you (OP) are the author of the PR :)

[Update 9/21/2016] It looks like this question is still getting hits. If it is helpful to anyone, we went with nginx as a reverse proxy a long time ago when we could not resolve this issue. I'm glad we did, and should have done it sooner. It is much faster than Mono for handling the SSL/TLS, and allows us to more carefully control the crypto suites and keep up to date with security patches.

I'm keeping an eye on Mono 4.6, which has yet to release. With their overhaul of TLS and the ability to plug in alternate implementations at runtime this might give us a path forward without using nginx reverse proxy.

BrandonLWhite
  • 1,866
  • 1
  • 23
  • 26
  • Thanks for the heads up about using Nginx for security and performance reasons. There are still other lingering questions on SO about Mono SSL that I found before finding this question. I'm going to add comments to link them here. And a question for you: In 2019, is using Nginx and completely forgoing the mono HttpListener still your suggested approach? – JamesHoux Aug 10 '19 at 16:10
  • One more thing, when using Nginx are there steps that must be taken to ensure security with data passed into Nancy or another application? Somewhere else (I'm sorry, I've losted the link in all my searching), I saw someone mention a problem specific to Nancy where Nancy can't know that its running in an HTTPS Context because it is behind Nginx. As a result, you can't use HTTPS checks in your Nancy App: For instance, you can't have your app verify that the connection was established over HTTPS before allowing specific functions to be executed. – JamesHoux Aug 10 '19 at 16:21
  • 1
    For anyone who is looking specifically for a way to embed an http server with SSL in their application and absolutely does not want to put their application behind Nginx or another host, an option is to use Ceen HTTPd. Its a library that promises suppose for SSL and can process certificates at an application level without requiring OS-level configuration. I found it discussed here: https://softwarerecs.stackexchange.com/questions/52304/net-library-for-running-an-embedded-selfhosted-light-web-server-from-c-with-ss – JamesHoux Aug 10 '19 at 17:20
  • Even now in December 2020, the hardcoded value is still a pain. This answer prompted me to check out Nginx and I am glad I did - it is quite amazing! Will be using it as a reverse proxy to handle HTTPS and forward to my app on HTTP listening on localhost. – Eric Mutta Dec 21 '20 at 01:15
0

The only options one (still..) has are:

Use Gusman's pull request #1 or #2 (depending on your Mono version) as workaround which should be OK for productive environments, if a recent Mono version's source code is used.

Example for Mono v4.2.3.4:

echo -e -n "83c83\n< \t\t\t\tSslServerStream ssl_stream = new SslServerStream (new NetworkStream (sock, false), cert, false, true, false);\n---\n> \t\t\t\tSslServerStream ssl_stream = new SslServerStream (new NetworkStream (sock, false), cert, false, false, false);\n" > nocerts.diff
tar xvjf mono-4.2.3.4.tar.bz2
cd mono-4.2.3.4 
patch ./mcs/class/System/System.Net/HttpConnection.cs ../nocerts.diff
./configure --prefix=/usr
make
make install

Or use the last Mono version that works without client certificates (which is v3.10.0).

Community
  • 1
  • 1
RhinoDevel
  • 712
  • 1
  • 12
  • 25