[Mono-dev] Bug with Ssl cert validation

Edward Ned Harvey (mono) edward.harvey.mono at clevertrove.com
Tue Mar 18 02:43:23 UTC 2014

This *has* to be a bug in mono.  I repeated this problem with mono 3.2.7 (the standard distribution MDK) on mac osx Mavericks fully updated, and 3.2.8 on linux, built from source.  No problem on windows.  (Win 8.1 Pro fully updated)

On mac and linux, I am aware that there are no trusted root CA's by default.  So I ran "mozroots --import --sync" and repeated - still got the same problem - and I tried "sudo mozroots --import --sync --machine" and once again confirmed the same problem.  I confirmed that the mozilla root CA's were downloaded and installed to ~/.config/.mono/certs/Trust/ and /usr/share/.mono/certs/Trust/, but still the behavior remains unchanged.  Problem on both mac & linux.

Sample code below.  When run on mono, throws "System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received from server."  

Does not throw exception on windows.

using System;
using System.Net;
using System.Net.Sockets;
using System.Net.Security;
using System.Security.Authentication;
using System.Security.Cryptography.X509Certificates;

namespace FunWithSsl
	class MainClass
		public static void Main (string[] args)
			string targetHost = "verisign.com";	// pick a site, any site.  https server
			IPAddress[] addresses = Dns.GetHostAddresses (targetHost);
			var client = new TcpClient ();
			client.Connect (addresses [0],443);
			var mySslStream = new SslStream (client.GetStream(), false, ValidateServerCertificate);
				mySslStream.AuthenticateAsClient (targetHost, null, SslProtocols.Tls, false);
				System.Console.WriteLine ("Passed");
			catch (Exception e)
				System.Console.WriteLine ("Failed: \n"+e.ToString());
		private static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
			System.Console.WriteLine (sslPolicyErrors.ToString ());
			return (sslPolicyErrors == SslPolicyErrors.None);

More information about the Mono-devel-list mailing list