<div dir="ltr">meant to reply-all<br><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Sebastien Pouliot</b> <span dir="ltr"><<a href="mailto:sebastien.pouliot@gmail.com">sebastien.pouliot@gmail.com</a>></span><br>
Date: Mon, Mar 17, 2014 at 11:32 PM<br>Subject: Re: [Mono-dev] Bug with Ssl cert validation<br>To: "Edward Ned Harvey (mono)" <<a href="mailto:edward.harvey.mono@clevertrove.com">edward.harvey.mono@clevertrove.com</a>><br>
<br><br><div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote"><div class="">On Mon, Mar 17, 2014 at 10:43 PM, Edward Ned Harvey (mono) <span dir="ltr"><<a href="mailto:edward.harvey.mono@clevertrove.com" target="_blank">edward.harvey.mono@clevertrove.com</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">This *has* to be a bug in mono.  I repeated this problem with mono 3.2.7 (the standard distribution MDK) on mac osx Mavericks fully updated, and 3.2.8 on linux, built from source.  No problem on windows.  (Win 8.1 Pro fully updated)<br>


<br>
On mac and linux, I am aware that there are no trusted root CA's by default.  So I ran "mozroots --import --sync" and repeated - still got the same problem - and I tried "sudo mozroots --import --sync --machine" and once again confirmed the same problem.  I confirmed that the mozilla root CA's were downloaded and installed to ~/.config/.mono/certs/Trust/ and /usr/share/.mono/certs/Trust/, but still the behavior remains unchanged.  Problem on both mac & linux.<br>


<br>
Sample code below.  When run on mono, throws "System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received from server."<br>
<br>
Does not throw exception on windows.<br>
<br>
using System;<br>
using System.Net;<br>
using System.Net.Sockets;<br>
using System.Net.Security;<br>
using System.Security.Authentication;<br>
using System.Security.Cryptography.X509Certificates;<br>
<br>
namespace FunWithSsl<br>
{<br>
        class MainClass<br>
        {<br>
                public static void Main (string[] args)<br>
                {<br>
                        string targetHost = "<a href="http://verisign.com" target="_blank">verisign.com</a>";     // pick a site, any site.  https server<br>
                        IPAddress[] addresses = Dns.GetHostAddresses (targetHost);<br>
                        var client = new TcpClient ();<br>
                        client.Connect (addresses [0],443);<br>
                        var mySslStream = new SslStream (client.GetStream(), false, ValidateServerCertificate);<br></blockquote><div><br></div></div><div>if you read the source [1] (or look at the API compatibility page [2]) you'll see that this .ctor is decorated with</div>

<div><br></div><div>



<font face="Menlo">
<span style="color:rgb(68,68,68)">[</span><span style="color:rgb(68,68,68)">MonoTODO </span><span style="color:rgb(68,68,68)">(</span><span style="color:rgb(245,125,0)">"</span><span style="color:rgb(245,125,0)">userCertificateValidationCallback</span><span style="color:rgb(245,125,0)"> </span><span style="color:rgb(245,125,0)">is</span><span style="color:rgb(245,125,0)"> </span><span style="color:rgb(245,125,0)">not</span><span style="color:rgb(245,125,0)"> </span><span style="color:rgb(245,125,0)">passed</span><span style="color:rgb(245,125,0)"> </span><span style="color:rgb(245,125,0)">X509Chain</span><span style="color:rgb(245,125,0)"> </span><span style="color:rgb(245,125,0)">and</span><span style="color:rgb(245,125,0)"> </span><span style="color:rgb(245,125,0)">SslPolicyErrors</span><span style="color:rgb(245,125,0)"> </span><span style="color:rgb(245,125,0)">correctly</span><span style="color:rgb(245,125,0)">"</span><span style="color:rgb(68,68,68)">)]</span><br>


<span style="color:rgb(0,150,149)"></span></font></div><div><br></div><div>Changing it to</div><div><br></div><div>var mySslStream = new SslStream (client.GetStream(), false);<br></div><div><br></div><div>*and* having run `mozroots` will work.</div>

<div><br></div><div>Sebastien</div><div><br></div><div>[1] <a href="https://github.com/mono/mono/blob/master/mcs/class/System/System.Net.Security/SslStream.cs#L104" target="_blank">https://github.com/mono/mono/blob/master/mcs/class/System/System.Net.Security/SslStream.cs#L104</a></div>

<div>[2] <a href="http://go-mono.com/status/status.aspx?reference=4.5&profile=4.5&assembly=System" target="_blank">http://go-mono.com/status/status.aspx?reference=4.5&profile=4.5&assembly=System</a></div>
<div class=""><div><br></div><div>
 </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
                        try<br>
                        {<br>
                                mySslStream.AuthenticateAsClient (targetHost, null, SslProtocols.Tls, false);<br>
                                System.Console.WriteLine ("Passed");<br>
                        }<br>
                        catch (Exception e)<br>
                        {<br>
                                System.Console.WriteLine ("Failed: \n"+e.ToString());<br>
                        }<br>
                }<br>
                private static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)<br>
                {<br>
                        System.Console.WriteLine (sslPolicyErrors.ToString ());<br>
                        //System.Console.WriteLine(chain.ToString());<br>
                        System.Console.WriteLine(certificate.ToString());<br>
                        return (sslPolicyErrors == SslPolicyErrors.None);<br>
                }<br>
        }<br>
}<br>
_______________________________________________<br>
Mono-devel-list mailing list<br>
<a href="mailto:Mono-devel-list@lists.ximian.com" target="_blank">Mono-devel-list@lists.ximian.com</a><br>
<a href="http://lists.ximian.com/mailman/listinfo/mono-devel-list" target="_blank">http://lists.ximian.com/mailman/listinfo/mono-devel-list</a><br>
</blockquote></div></div><br></div></div>
</div><br></div>