[Mono-list] Connecting to Google via SSL

Craig Box craig.box at gmail.com
Mon Dec 21 06:00:49 EST 2009


Hi all,

I'm having trouble coaxing Mono to connect to Google via SSL (specifically
to do OpenID verification).  Because this is a security protocol, I don't
want to implement the "always return true" certificate checking policy in my
application.  I've imported the Mozilla root certificates, and I've tried
getting the certificate with certmgr -ssl, but there just seems to be
something wrong with it that Mono doesn't like.

Running a0.exe (from
http://www.mono-project.com/UsingTrustedRootsRespectfully), which just
creates a WebRequest, I get this result:

user at host:~$ mono a0.exe https://www.google.com/accounts/o8/id

Unhandled Exception: System.Net.WebException: Error getting response stream
(Write): SendFailure ---> System.IO.IOException: The authentication or
decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: Invalid
certificate received from server.
  at
Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.validateCertificates
(Mono.Security.X509.X509CertificateCollection certificates) [0x00000]
  at
Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.ProcessAsTls1
() [0x00000]
  at Mono.Security.Protocol.Tls.Handshake.HandshakeMessage.Process ()
[0x00000]
  at (wrapper remoting-invoke-with-check)
Mono.Security.Protocol.Tls.Handshake.HandshakeMessage:Process ()
  at Mono.Security.Protocol.Tls.ClientRecordProtocol.ProcessHandshakeMessage
(Mono.Security.Protocol.Tls.TlsStream handMsg) [0x00000]
  at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback
(IAsyncResult asyncResult) [0x00000]
  --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback
(IAsyncResult asyncResult) [0x00000]
  --- End of inner exception stack trace ---
  at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult)
[0x00000]
  at System.Net.HttpWebRequest.GetResponse () [0x00000]
  at Program.Main (System.String[] args) [0x00000]


Running tlstest from the Security FAQ:

user at host:~$ mono tlstest.exe https://www.google.com/

https://www.google.com/
CERTIFICATE:
    Format:  X509
    Name:  C=US, S=California, L=Mountain View, O=Google Inc, CN=
www.google.com
    Issuing CA:  C=US, O=Google Inc, CN=Google Internet Authority
    Key Algorithm:  1.2.840.113549.1.1.1
    Serial Number:  B30D000003009A1E6652
    Key Alogrithm Parameters:  0500
    Public Key:
30818902818100A5B4503FB81314B5E96F9A3E30DD06ECAA266EDCDE9E4ED29EEC6421E24EA10D3A221A7F15A51BAA110E49B454E66A258D10F631CE100E51B33CA0496BAE2AA463A3F8010BA89A8491CAF7690E4F367926ACD502F902FF850E5C98F23AAD62FBF7AE13914FA730F2CFCCF5698E5F80D3352A0CA5041698E8EDED99F9C9CAFE5F0203010001


    Valid From:  11/12/2009 12:36:10 PM
    Valid Until: 11/12/2010 12:46:10 PM

Error #-2146762490: CERT_E_PURPOSE 0x800B0106
Error #-2146762486: CERT_E_CHAINING 0x800B010A


Importing with certmgr:

$ certmgr -ssl https://www.google.com/
Mono Certificate Manager - version 2.4.0.0
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD
licensed.


 X.509 Certificate v3
   Issued from: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
   Issued to:   C=US, O=Google Inc, CN=Google Internet Authority
   Valid from:  6/8/2009 9:43:27 PM
   Valid until: 6/7/2013 8:43:27 PM
   *** WARNING: Certificate signature is INVALID ***


I've read https://bugzilla.novell.com/show_bug.cgi?id=545015 (CN not
matching, being an error on Gmail).  Running tlstest on www.gmail.com adds
another error - Error #-2146762481: CERT_E_CN_NO_MATCH 0x800B010F - which
suggests that it might be separate from this issue.  If not, I probably need
a newer point-release of Mono 2.4 and would like to know which version this
fix was backported to.

If it's as simple as importing an intermediate certificate, could someone
please help me with identifying which?  I have tried pulling down the
certificates with openssl s_client, and importing them with certmgr -add -c
Trust.

Regards
Craig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.ximian.com/pipermail/mono-list/attachments/20091221/bfdc2f79/attachment.html 


More information about the Mono-list mailing list