[Mono-dev] Request for comments: mozroots, msroots, X509Chain
Edward Ned Harvey (mono)
edward.harvey.mono at clevertrove.com
Fri Jan 9 02:21:48 UTC 2015
> From: mono-devel-list-bounces at lists.ximian.com [mailto:mono-devel-list-
> bounces at lists.ximian.com] On Behalf Of Edward Ned Harvey (mono)
> To validate this concept, I'd like to point out that Microsoft ships Windows
> with a list of roots *and* a list of intermediates populated by default.
Bah. I made a mistake. The fact of the matter is, MS and Firefox (and probably others) ship with roots only, and no intermediates. They automatically store any intermediates they receive from servers during normal usage, which can cover up problems if later connections fail to provide a valid chain. I was misinformed because I looked at the intermediates list of a system that had been used to browse a lot of internet, but today I looked at a pristine windows installation and confirmed the intermediate list was empty. Also, I found a mozilla support article where they explicitly say "Firefox automatically stores intermediate certificates that servers send in the Certificate Manager for future usage. If a server doesn't send a full certificate chain then you won't get an untrusted error when Firefox has stored missing intermediate certificates from visiting a server in the past that has send it, but you do get an untrusted error if this intermediate certificate isn't stored yet."
So my long email is moot except for two points: The root certs need to be automated, and mono SslStream.AuthenticateAsServer() needs to be fixed because it doesn't send the chain. (The problem is underlying; not actually a flaw in SslStream itself.)
More information about the Mono-devel-list