[Mono-list] Connecting to Google via SSL

Craig Box craig.box at gmail.com
Mon Dec 21 06:00:49 EST 2009

Hi all,

I'm having trouble coaxing Mono to connect to Google via SSL (specifically
to do OpenID verification).  Because this is a security protocol, I don't
want to implement the "always return true" certificate checking policy in my
application.  I've imported the Mozilla root certificates, and I've tried
getting the certificate with certmgr -ssl, but there just seems to be
something wrong with it that Mono doesn't like.

Running a0.exe (from
http://www.mono-project.com/UsingTrustedRootsRespectfully), which just
creates a WebRequest, I get this result:

user at host:~$ mono a0.exe https://www.google.com/accounts/o8/id

Unhandled Exception: System.Net.WebException: Error getting response stream
(Write): SendFailure ---> System.IO.IOException: The authentication or
decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: Invalid
certificate received from server.
(Mono.Security.X509.X509CertificateCollection certificates) [0x00000]
() [0x00000]
  at Mono.Security.Protocol.Tls.Handshake.HandshakeMessage.Process ()
  at (wrapper remoting-invoke-with-check)
Mono.Security.Protocol.Tls.Handshake.HandshakeMessage:Process ()
  at Mono.Security.Protocol.Tls.ClientRecordProtocol.ProcessHandshakeMessage
(Mono.Security.Protocol.Tls.TlsStream handMsg) [0x00000]
  at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback
(IAsyncResult asyncResult) [0x00000]
  --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback
(IAsyncResult asyncResult) [0x00000]
  --- End of inner exception stack trace ---
  at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult)
  at System.Net.HttpWebRequest.GetResponse () [0x00000]
  at Program.Main (System.String[] args) [0x00000]

Running tlstest from the Security FAQ:

user at host:~$ mono tlstest.exe https://www.google.com/

    Format:  X509
    Name:  C=US, S=California, L=Mountain View, O=Google Inc, CN=
    Issuing CA:  C=US, O=Google Inc, CN=Google Internet Authority
    Key Algorithm:  1.2.840.113549.1.1.1
    Serial Number:  B30D000003009A1E6652
    Key Alogrithm Parameters:  0500
    Public Key:

    Valid From:  11/12/2009 12:36:10 PM
    Valid Until: 11/12/2010 12:46:10 PM

Error #-2146762490: CERT_E_PURPOSE 0x800B0106
Error #-2146762486: CERT_E_CHAINING 0x800B010A

Importing with certmgr:

$ certmgr -ssl https://www.google.com/
Mono Certificate Manager - version
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD

 X.509 Certificate v3
   Issued from: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
   Issued to:   C=US, O=Google Inc, CN=Google Internet Authority
   Valid from:  6/8/2009 9:43:27 PM
   Valid until: 6/7/2013 8:43:27 PM
   *** WARNING: Certificate signature is INVALID ***

I've read https://bugzilla.novell.com/show_bug.cgi?id=545015 (CN not
matching, being an error on Gmail).  Running tlstest on www.gmail.com adds
another error - Error #-2146762481: CERT_E_CN_NO_MATCH 0x800B010F - which
suggests that it might be separate from this issue.  If not, I probably need
a newer point-release of Mono 2.4 and would like to know which version this
fix was backported to.

If it's as simple as importing an intermediate certificate, could someone
please help me with identifying which?  I have tried pulling down the
certificates with openssl s_client, and importing them with certmgr -add -c

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.ximian.com/pipermail/mono-list/attachments/20091221/bfdc2f79/attachment.html 

More information about the Mono-list mailing list