[Mono-dev] Fwd: Bug with Ssl cert validation
Sebastien Pouliot
sebastien.pouliot at gmail.com
Tue Mar 18 03:33:16 UTC 2014
meant to reply-all
---------- Forwarded message ----------
From: Sebastien Pouliot <sebastien.pouliot at gmail.com>
Date: Mon, Mar 17, 2014 at 11:32 PM
Subject: Re: [Mono-dev] Bug with Ssl cert validation
To: "Edward Ned Harvey (mono)" <edward.harvey.mono at clevertrove.com>
On Mon, Mar 17, 2014 at 10:43 PM, Edward Ned Harvey (mono) <
edward.harvey.mono at clevertrove.com> wrote:
> This *has* to be a bug in mono. I repeated this problem with mono 3.2.7
> (the standard distribution MDK) on mac osx Mavericks fully updated, and
> 3.2.8 on linux, built from source. No problem on windows. (Win 8.1 Pro
> fully updated)
>
> On mac and linux, I am aware that there are no trusted root CA's by
> default. So I ran "mozroots --import --sync" and repeated - still got the
> same problem - and I tried "sudo mozroots --import --sync --machine" and
> once again confirmed the same problem. I confirmed that the mozilla root
> CA's were downloaded and installed to ~/.config/.mono/certs/Trust/ and
> /usr/share/.mono/certs/Trust/, but still the behavior remains unchanged.
> Problem on both mac & linux.
>
> Sample code below. When run on mono, throws "System.IO.IOException: The
> authentication or decryption has failed. --->
> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received from
> server."
>
> Does not throw exception on windows.
>
> using System;
> using System.Net;
> using System.Net.Sockets;
> using System.Net.Security;
> using System.Security.Authentication;
> using System.Security.Cryptography.X509Certificates;
>
> namespace FunWithSsl
> {
> class MainClass
> {
> public static void Main (string[] args)
> {
> string targetHost = "verisign.com"; // pick a
> site, any site. https server
> IPAddress[] addresses = Dns.GetHostAddresses
> (targetHost);
> var client = new TcpClient ();
> client.Connect (addresses [0],443);
> var mySslStream = new SslStream
> (client.GetStream(), false, ValidateServerCertificate);
>
if you read the source [1] (or look at the API compatibility page [2])
you'll see that this .ctor is decorated with
[MonoTODO ("userCertificateValidationCallback is not passed X509Chain and
SslPolicyErrors correctly")]
Changing it to
var mySslStream = new SslStream (client.GetStream(), false);
*and* having run `mozroots` will work.
Sebastien
[1]
https://github.com/mono/mono/blob/master/mcs/class/System/System.Net.Security/SslStream.cs#L104
[2]
http://go-mono.com/status/status.aspx?reference=4.5&profile=4.5&assembly=System
> try
> {
> mySslStream.AuthenticateAsClient
> (targetHost, null, SslProtocols.Tls, false);
> System.Console.WriteLine ("Passed");
> }
> catch (Exception e)
> {
> System.Console.WriteLine ("Failed:
> \n"+e.ToString());
> }
> }
> private static bool ValidateServerCertificate(object
> sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors
> sslPolicyErrors)
> {
> System.Console.WriteLine (sslPolicyErrors.ToString
> ());
> //System.Console.WriteLine(chain.ToString());
> System.Console.WriteLine(certificate.ToString());
> return (sslPolicyErrors == SslPolicyErrors.None);
> }
> }
> }
> _______________________________________________
> Mono-devel-list mailing list
> Mono-devel-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-devel-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ximian.com/pipermail/mono-devel-list/attachments/20140317/33e1b1c3/attachment.html>
More information about the Mono-devel-list
mailing list