Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disabled client certificate request for HttpConnection (HttpListener)… #2817

Closed
wants to merge 1 commit into from

Conversation

Projects
None yet
7 participants
@gusmanb
Copy link

commented Mar 31, 2016

Enforcing HttpListener connections to validate client certificates by default render HttpListener unusable for most cases.

It was hardcoded to request the certificate, now it's disabled.

It should be extended to be configurable.

Also an small typo on x509 chain is corrected.

@xamarin-cla-bot

This comment has been minimized.

Copy link

commented Mar 31, 2016

Hey @gusmanb,
Thank you for your Pull Request! We <3 our contributors!

However, it looks like you haven't signed our CLA (Contributor License Agreement) yet. In order for us to accept your pull request, you have to sign our CLA first.
Once you do this, we can check over your pull request. You should only have to do this once.

You can read and sign our full Contributor License Agreement here.

Thanks,

Your friendly Xamarin CLA Bot#

@monojenkins

This comment has been minimized.

Copy link
Contributor

commented Mar 31, 2016

Hello! I'm the build bot for the Mono project. I need approval from a Mono team member to build this pull request. A team member should reply with "approve" to approve a build of this pull request, "whitelist" to whitelist this and all future pull requests from this contributor, or "build" to explicitly request a build, even if one has already been done. Contributors can ignore this message.

@xamarin-cla-bot

This comment has been minimized.

Copy link

commented Mar 31, 2016

Hey @gusmanb,

Thanks for signing our CLA! We can now look at your pull request.

Always at your service,

Your friendly Xamarin CLA Bot#

@migueldeicaza

This comment has been minimized.

Copy link
Member

commented Apr 10, 2016

Before this can be merged, the following questions need to be answered:

[ ] What is the behavior of the same API on Windows
[ ] What is the API that is surfaced on Windows to configure this check

I do not like this patch, because users that have managed to use this API are requiring these checks, so this is effectively lowering the expected security that users would have. If something like this were to be done, we would need to figure out a communications plan.

Additionally, perhaps what we need to do is teach users how to use LetsEncrypt to make this easier, or even bundle a command line tool to make this easier.

@gusmanb

This comment has been minimized.

Copy link
Author

commented Apr 10, 2016

Hi Miguel.

The asnwers are the same as two years ago, by default Windows deactivates the client certificates, and to enable them you must use the certmgr tool with an special parameter.

I think nobody is using the HttpListener with SSL because this issue, there are a lot of complains about it, you can find them on ServiceStack, CouchBase, a bunch of posts on StackOverflow, etc etc.

I though this patch was forgot but a message of lewurm asked me to update it to pass it the CI, so I updated the solution (because the patch was for an older version and was worse to update all than modifying it again) and created the new pull request only because that.

@ra00l

This comment has been minimized.

Copy link

commented Jun 6, 2016

Miguel, I run into the same issue; I get a prompt for a client side certificate, only on Mac; on Windows no prompt. Found this article from Microsoft which might give you the switch you're looking for:
http://www.asp.net/web-api/overview/security/working-with-ssl-in-web-api

<system.webServer>
    <security>
        <access sslFlags="Ssl, SslNegotiateCert" />
        <!-- To require a client cert: -->
        <!-- <access sslFlags="Ssl, SslRequireCert" /> -->
    </security>
</system.webServer>

@migueldeicaza migueldeicaza self-assigned this Jul 7, 2016

@akoeplinger akoeplinger removed the in-review label Dec 5, 2017

@baulig baulig closed this May 23, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.