[Mono-list] Connecting to Google via SSL
sebastien.pouliot at gmail.com
Tue Dec 22 08:17:53 EST 2009
On Mon, 2009-12-21 at 11:00 +0000, Craig Box wrote:
> Hi all,
> I'm having trouble coaxing Mono to connect to Google via SSL
> (specifically to do OpenID verification).
First things first, which version of Mono are you using ?
> Because this is a security protocol, I don't want to implement the
> "always return true" certificate checking policy in my application.
> I've imported the Mozilla root certificates, and I've tried getting
> the certificate with certmgr -ssl, but there just seems to be
> something wrong with it that Mono doesn't like.
That's the right step. In fact executing only mozroots should be enough.
> Running a0.exe (from
> http://www.mono-project.com/UsingTrustedRootsRespectfully), which just
> creates a WebRequest, I get this result:
> user at host:~$ mono a0.exe https://www.google.com/accounts/o8/id
> Unhandled Exception: System.Net.WebException: Error getting response
> stream (Write): SendFailure ---> System.IO.IOException: The
> authentication or decryption has failed. --->
> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received
> from server.
> Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.validateCertificates (Mono.Security.X509.X509CertificateCollection certificates) [0x00000]
> Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.ProcessAsTls1 () [0x00000]
> at Mono.Security.Protocol.Tls.Handshake.HandshakeMessage.Process ()
> at (wrapper remoting-invoke-with-check)
> Mono.Security.Protocol.Tls.Handshake.HandshakeMessage:Process ()
> Mono.Security.Protocol.Tls.ClientRecordProtocol.ProcessHandshakeMessage (Mono.Security.Protocol.Tls.TlsStream handMsg) [0x00000]
> Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback (IAsyncResult asyncResult) [0x00000]
> --- End of inner exception stack trace ---
> at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback
> (IAsyncResult asyncResult) [0x00000]
> --- End of inner exception stack trace ---
> at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult
> asyncResult) [0x00000]
> at System.Net.HttpWebRequest.GetResponse () [0x00000]
> at Program.Main (System.String args) [0x00000]
> Running tlstest from the Security FAQ:
> user at host:~$ mono tlstest.exe https://www.google.com/
> Format: X509
> Name: C=US, S=California, L=Mountain View, O=Google Inc,
> Issuing CA: C=US, O=Google Inc, CN=Google Internet Authority
> Key Algorithm: 1.2.840.1135220.127.116.11
> Serial Number: B30D000003009A1E6652
> Key Alogrithm Parameters: 0500
> Public Key:
> Valid From: 11/12/2009 12:36:10 PM
> Valid Until: 11/12/2010 12:46:10 PM
> Error #-2146762490: CERT_E_PURPOSE 0x800B0106
> Error #-2146762486: CERT_E_CHAINING 0x800B010A
> Importing with certmgr:
> $ certmgr -ssl https://www.google.com/
> Mono Certificate Manager - version 18.104.22.168
> Manage X.509 certificates and CRL from stores.
> Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell.
> BSD licensed.
> X.509 Certificate v3
> Issued from: C=US, O=Equifax, OU=Equifax Secure Certificate
> Issued to: C=US, O=Google Inc, CN=Google Internet Authority
> Valid from: 6/8/2009 9:43:27 PM
> Valid until: 6/7/2013 8:43:27 PM
> *** WARNING: Certificate signature is INVALID ***
> I've read https://bugzilla.novell.com/show_bug.cgi?id=545015 (CN not
> matching, being an error on Gmail). Running tlstest on www.gmail.com
> adds another error - Error #-2146762481: CERT_E_CN_NO_MATCH 0x800B010F
> - which suggests that it might be separate from this issue.
> If not, I probably need a newer point-release of Mono 2.4 and would
> like to know which version this fix was backported to.
Any 2.4.x version released after August 20th, 2009 (which afaik means
only 2.4.3) or 2.6[.x] will have the fix.
> If it's as simple as importing an intermediate certificate, could
> someone please help me with identifying which?
This is not required 99% of the time - i.e. unless you're dealing with
an app/protocol that does not give you a certificate chain.
This is not an issue with SSL/TLS. It gives you the whole chain - but
without the root certificate (which would not help anyway).
> I have tried pulling down the certificates with openssl s_client, and
> importing them with certmgr -add -c Trust.
Never do that. Intermediate certificate should not be directly trusted.
You'll run into problems later if any of the intermediate certificates
More information about the Mono-list