[Mono-bugs] [Bug 635646] New: Gmail pop ssl certificate is rejected

bugzilla_noreply at novell.com bugzilla_noreply at novell.com
Mon Aug 30 16:50:06 EDT 2010 

https://bugzilla.novell.com/show_bug.cgi?id=635646

https://bugzilla.novell.com/show_bug.cgi?id=635646#c0


           Summary: Gmail pop ssl certificate is rejected
    Classification: Mono
           Product: Mono: Class Libraries
           Version: 2.6.x
          Platform: Other
        OS/Version: Other
            Status: NEW
          Severity: Normal
          Priority: P5 - None
         Component: Mono.Security
        AssignedTo: spouliot at novell.com
        ReportedBy: mfarver at mindbent.org
         QAContact: mono-bugs at lists.ximian.com
                CC: tedu at fogcreek.com
        Depends on: 545015
          Found By: ---
           Blocker: ---


+++ This bug was initially created as a clone of Bug #545015 +++

Created an attachment (id=321507)
 --> (http://bugzilla.novell.com/attachment.cgi?id=321507)
tries to connect to pop.gmail.com

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.12)
Gecko/20080207 Ubuntu/7.10 (gutsy) Firefox/2.0.0.12

The
Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.checkCertificateUsage
function rejects the SSL cert used by pop.gmail.com as being unworthy of a
server cert.  I'm not an expert in X509 standards, but multiple independent TLS
implementations are willing to accept this certificate as valid for a server,
so it seems mono is wrong here.




This bug is marked fixed, but still appears to occur in 2.6.7.
--------------------------------------------

$ certmgr -ssl https://pop.gmail.com:995
Mono Certificate Manager - version 2.6.7.0
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD
licensed.


 X.509 Certificate v3
   Issued from: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
   Issued to:   C=US, O=Google Inc, CN=Google Internet Authority
   Valid from:  6/8/2009 3:43:27 PM
   Valid until: 6/7/2013 2:43:27 PM
   *** WARNING: Certificate signature is INVALID ***
This certificate is already in the CA store.

 X.509 Certificate v3
   Issued from: C=US, O=Google Inc, CN=Google Internet Authority
   Issued to:   C=US, S=California, L=Mountain View, O=Google Inc,
CN=pop.gmail.com
   Valid from:  4/22/2010 3:11:23 PM
   Valid until: 4/22/2011 3:21:23 PM
This certificate is already in the AddressBook store.

No certificate were added to the stores.

--------------------------------------------
In also occurs using https://sdb.amazonaws.com

-- 
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the mono-bugs mailing list