[Mono-bugs] [Bug 746721] New: AuthenticateAsServer does not send full chain of certificates

bugzilla_noreply at novell.com bugzilla_noreply at novell.com
Mon Feb 13 14:30:45 UTC 2012 

https://bugzilla.novell.com/show_bug.cgi?id=746721

https://bugzilla.novell.com/show_bug.cgi?id=746721#c0


           Summary: AuthenticateAsServer does not send full chain of
                    certificates
    Classification: Mono
           Product: Mono: Class Libraries
           Version: 2.10.x
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: Normal
          Priority: P5 - None
         Component: System.Security
        AssignedTo: frego at suse.com
        ReportedBy: p.grudzien12 at gmail.com
         QAContact: mono-bugs at lists.ximian.com
          Found By: ---
           Blocker: ---


Created an attachment (id=475850)
 --> (http://bugzilla.novell.com/attachment.cgi?id=475850)
Simple server with ssl authentication. Requires a valid certificate.

User-Agent:       Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101
Firefox/9.0.1

When using SSLStream.AutheinticateAsServer on mono 2.10.2 and below mono sends
only certificate of server and no issuers certificates. On .net on the other
hand sends all certificates included in pcks12 file.

Reproducible: Always

Steps to Reproduce:
1. Get signed certificate
2. run attached program.cs (creates TcpListener with ssl auth)
3. run openssl s_client -showcerts -connect foo.com:3000
Actual Results:  
openssl client cannot verify certificate. Sample output of openssl s_client on
mono 2.10.2 (linux):


CONNECTED(00000003)
depth=0 /OU=Domain Control Validated/OU=Hosted by XYZ/OU=PositiveSSL/CN=foo.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /OU=Domain Control Validated/OU=Hosted by XYZ/OU=PositiveSSL/CN=foo.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /OU=Domain Control Validated/OU=Hosted by XYZ/OU=PositiveSSL/CN=foo.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=Hosted by XYZ/OU=PositiveSSL/CN=foo.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL
CA
-----BEGIN CERTIFICATE-----
cert0
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=Hosted by XYZ/OU=PositiveSSL/CN=foo.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL
CA
---
No client certificate CA names sent
---
SSL handshake has read 1506 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID:
    Session-ID-ctx:
    Master-Key: masterkey....
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1329139041
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

Expected Results:  
Sample output on .net (windows). As one can see there is a full chain of
certificates:

CONNECTED(00000003)
depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
verify return:1
depth=2 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
verify return:1
depth=1 /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA
Limited/CN=PositiveSSL CA
verify return:1
depth=0 /OU=Domain Control Validated/OU=Hosted by XYZ/OU=PositiveSSL/CN=foo.com
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=Hosted by XYZ/OU=PositiveSSL/CN=foo.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL
CA
-----BEGIN CERTIFICATE-----
cert0
-----END CERTIFICATE-----
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL
CA
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
-----BEGIN CERTIFICATE-----
cert1
-----END CERTIFICATE-----
 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External
CA Root
-----BEGIN CERTIFICATE-----
cert2
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=Hosted by XYZ/OU=PositiveSSL/CN=foo.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL
CA
---
No client certificate CA names sent
---
SSL handshake has read 3967 bytes and written 455 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: sessionID
    Session-ID-ctx:
    Master-Key: masterkey...
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1329160144
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

-- 
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the mono-bugs mailing list