Would you plan to implement IceSSL in C#?

[zhangzq71]

I found there is a C# SSL library, would you plan to implement IceSSL for C#?


http://www.mentalis.org/soft/projects/ssocket/

[marc]

At present, there is no demand from any of our commercial customer for IceSSL for C#. If you have a commercial need for IceSSL for C#, please contact us at info@zeroc.com.

[kwaclaw]

I found there is a C# SSL library, would you plan to implement IceSSL for C#?


http://www.mentalis.org/soft/projects/ssocket/

I have done my own IceSSL implementation using .NET 2.0,
which includes SSL functionality. It is the version that comes
with Visual Studio 2005 Beta 2.

Seems to work for me, but no serious testing done so far.

If you like (and have VS 2005 Beta2), I can e-mail it to you.
It also requires a few changes to Ice itself to compile under .NET 2.0
and to fix a bug with plugin loading.

Karl

[zhangzq71]

Karl,

Do you mean .net 2.0 comes with SSL implemenation?

I have no VS.net 2005, but I can't find there is the .net 2.0 SDK download from MS website, can I compile your code by SDK only, if yes, please sent me your code.

Thank you very much!

email: zhangzq71@hotmail.com


Regards,
ZhangZQ

[kwaclaw]

Karl,

Do you mean .net 2.0 comes with SSL implemenation?

I have no VS.net 2005, but I can't find there is the .net 2.0 SDK download from MS website, can I compile your code by SDK only, if yes, please sent me your code.

Thank you very much!

email: zhangzq71@hotmail.com


Regards,
ZhangZQ

Yes, .NET 2.0 comes with an SslStream class. It only works with blocking
sockets, but this did not seem to be a problem with the little testing I did.

I am not sure if you can get the *Beta 2* version of .NET 2.0 SDK
without VS 2005, but you can try. One should be able to compile
with it. Give me a little time to prepare the fixes you need to do
to Ice itself to compile under .NET 2.0 and to accept plugins.

Karl

[zhangzq71]

Karl,

I found the .net framework 2.0 SDK can be downloaded from MSDN. After your IceSSL C# is ok, please send me a copy, thank you very much!


Regards,
ZhangZQ

[kwaclaw]

Karl,

I found the .net framework 2.0 SDK can be downloaded from MSDN. After your IceSSL C# is ok, please send me a copy, thank you very much!


Regards,
ZhangZQ

I sent you a zip file. Please report back on how it works for you.

Karl

[zhangzq71]

Karl,

Thanks, but I didn't get your code? Is it very large?


Regards,
ZhangZQ

[kwaclaw]

Karl,

Thanks, but I didn't get your code? Is it very large?


Regards,
ZhangZQ

Well, yes, I pre-built everything for you, so the attachment
is about 5MB. Is that too large for you?

If yes, I can either ftp it if you like, or remove all binaries and
re-send a smaller file, in which case you would have to configure
everything for building, but that is not so bad, as with .NET 2.0
one can use msbuild.exe to build VS project files without having
VS installed.

Just tell me what you prefer,

Karl

[zhangzq71]

Karl,

I got your IceCS for .net 2.0. Thank you very much for your great effort!

I tried the Hello program follows your instruction in IceSSL.txt file, but there is something error,

E:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin>makecert -r -pe -n "CN=IAA" -ss root -sr LocalMachine
Succeeded

E:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin>makecert -pe -n "CN=Demo Soft" -ss my -sr LocalMachine -eku 1.3.6.1.5.5.7.3.1 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider"-sy 12 -in "IAA" -is root -ir localMachine
Error: There are more than one matching certificate in the issuer's root cert store
Failed

If I run the program ignoring the above errors, got
server.exe
Ice.PluginInitializationException: IceSSL: Plugin initialization failed.
at Ice.PluginManagerI.loadPlugin(String name, String className, String[] args)
at Ice.PluginManagerI.loadPlugins(String[]& cmdArgs)
at IceInternal.Instance.finishSetup(String[]& args)
at Ice.CommunicatorI.finishSetup(String[]& args)
at Ice.Util.initializeWithProperties(String[]& args, Properties properties)
at Server.Main(String[] args)

so I have not successfully tested the SSL part of your Ice for CS.


Regards,
ZhangZQ

[kwaclaw]

Karl,

I got your IceCS for .net 2.0. Thank you very much for your great effort!

I tried the Hello program follows your instruction in IceSSL.txt file, but there is something error,

E:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin>makecert -r -pe -n "CN=IAA" -ss root -sr LocalMachine
Succeeded

E:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin>makecert -pe -n "CN=Demo Soft" -ss my -sr LocalMachine -eku 1.3.6.1.5.5.7.3.1 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider"-sy 12 -in "IAA" -is root -ir localMachine
Error: There are more than one matching certificate in the issuer's root cert store
Failed

It is hard to diagnose what is going on from here.
You should run mmc.exe, install the Certificates snap-in and have a look at your certificate stores. Maybe you tried to install the same certificate multiple times?

If I run the program ignoring the above errors, got
server.exe
Ice.PluginInitializationException: IceSSL: Plugin initialization failed.
at Ice.PluginManagerI.loadPlugin(String name, String className, String[] args)
at Ice.PluginManagerI.loadPlugins(String[]& cmdArgs)
at IceInternal.Instance.finishSetup(String[]& args)
at Ice.CommunicatorI.finishSetup(String[]& args)
at Ice.Util.initializeWithProperties(String[]& args, Properties properties)
at Server.Main(String[] args)

so I have not successfully tested the SSL part of your Ice for CS.

If config.xml file specifies a certificate serial number then it must match an existing certificate. However, the existing serial number in the hello demo's config.xml file will not match anything you have installed, therefore the plugin initialization will fail.

To make it easier for you, remove the server certificate serial number from config.xml. If there are no serial numbers or "subject names" specified, then the IceSSL plugin will select the first certificate it finds in the certificate store identified by the CertificateStoreLocation and CertificateStoreName elements.

So, all you have to make sure of then is that there is at least one certificate in the client store and server store.

Karl

[zhangzq71]

It is hard to diagnose what is going on from here.
You should run mmc.exe, install the Certificates snap-in and have a look at your certificate stores. Maybe you tried to install the same certificate multiple times?

I still can't fix the problem in generating the CA, don't know the detail mechanism of MS's CA service.

How about to implement the IceSSLcs independ to OS service?


Regards,
ZhangZQ

[kwaclaw]

I still can't fix the problem in generating the CA, don't know the detail mechanism of MS's CA service.

From what you said it appears that generating the CA was successful, but generating the server certificate reported multiple CAs with the same name. Maybe you installed the CA twice, which would give you two CAs with the same name.

I suggest you use MMC (Microsoft Management Console) with the Certificate snap-in to delete the second CA certificate. This should be quite easy to do on Windows XP. Don't know about Windows 2000/NT.

How about to implement the IceSSLcs independ to OS service?

It is already OS independent. It relies on the .NET API and not on any Windows specific features. It will be the same on Linux/Mono when their .NET 2.0 equivalent version comes out.

However, I will think about how to add a feature to load a file-based certificate.


Karl

[zhangzq71]

I suggest you use MMC (Microsoft Management Console) with the Certificate snap-in to delete the second CA certificate. This should be quite easy to do on Windows XP. Don't know about Windows 2000/NT.

I have to find the installation disk to install the CA snap-in because I can't find that snap-in in my control panel.

It is already OS independent. It relies on the .NET API and not on any Windows specific features. It will be the same on Linux/Mono when their .NET 2.0 equivalent version comes out.

However, I will think about how to add a feature to load a file-based certificate.

I am glad to hear to, what I really want is to use MONO in Linux.


For your previous email, How to generate the CertificateSerialNumber ?



Regards,
ZhangZQ

[kwaclaw]

I have to find the installation disk to install the CA snap-in because I can't find that snap-in in my control panel.

It should be there. After opening MMC (type mmc.exe on command line),
go to the File menu and select Add/Remove snap-in. Then when a dialog opens, click on the Add button.

I am glad to hear to, what I really want is to use MONO in Linux.

For your previous email, How to generate the CertificateSerialNumber ?

I think there is an option in makecert, but normally a GUID-like number is auto-generated.


Btw, I remember I already implemented a way to delay configuration to later and load a certificate file.

Here are the steps for the HelloS (server) project:

1) Add the System.Security assembly to the project references.

2) In file Server.cs, add these to lines to the top:

Code:

using System.Security.Authentication;
using System.Security.Cryptography.X509Certificates;

then add code like in this example to the Main function:
(the code between the // lines)

Code:

try
{
    Ice.Properties properties = Ice.Util.createProperties();
    properties.load("config");
    communicator = Ice.Util.initializeWithProperties(ref args, properties);
    //
    string certFile = @"...\...\DemoSoft.pfx";
    X509Certificate2 cert = new X509Certificate2(certFile, "password");
    Ice.Ssl.ServerContext srvContext = 
      new Ice.Ssl.ServerContext(SslProtocols.Tls, false, false, false, cert);
    Ice.Ssl.PluginI plugin =
      (Ice.Ssl.PluginI)communicator.getPluginManager().getPlugin("IceSslStream");
    plugin.ServerContext = srvContext;
    //
    status = run(args, communicator);
}

but currently this won't work because there seems to be a bug in the Communicator implementation: pluginManager returns null.
You can fix this by replacing the code for getPluginManager() in the CommunicatorI.cs file in Ice like this:

Code:

public PluginManager getPluginManager()
{
    return _instance.pluginManager();
}

with this fix it worked for me.

Hope that helps,

Karl