[Mono-dev] bug in Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.LocalValidation

[Edward Ned Harvey (mono)]

I have these two servers, identical in every way except for their ip, name, and certs.  The certs were created by exactly the same process for both machines.  I have done mozroots on the client.  Servers are running mono 3.2.8.

This server negotiates ssl just fine with windows or mac clients.  No problem.   (port 443) telefolder.vgocom.net
This server negotiates ssl fine for windows clients, and causes mac client to throw exception (UnknownCA).  Which is incorrect.  (port 443) telefolder.clevertrove.net

Code to reproduce the problem:

using System;
using System.Net;
using System.Net.Sockets;
using System.Net.Security;
using System.Security.Authentication;
using System.Diagnostics;

namespace FunWithSslCerts
{
    class MainClass
    {
        public static void Main(string[] args)
        {
            // const string hostname = "telefolder.vgocom.net";    // works
            const string hostname = "telefolder.clevertrove.net";
            const int port = 443;

            var client = new TcpClient();
            client.Connect(hostname, port);
            var mySslStream = new SslStream(client.GetStream(), leaveInnerStreamOpen: false);
            mySslStream.AuthenticateAsClient(
                targetHost: hostname,
                clientCertificates: null,
                enabledSslProtocols: SslProtocols.Tls,
                checkCertificateRevocation: false
            );
            // If we throw exception on the line above, we failed.
            // If we get here, we were successful.
            Debugger.Break();
        }
    }
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ximian.com/pipermail/mono-devel-list/attachments/20140408/542dcd6d/attachment.html>