[Mono-list] Connecting to Google via SSL

Sebastien Pouliot sebastien.pouliot at gmail.com
Tue Dec 22 08:17:53 EST 2009 

Hello Craig,

On Mon, 2009-12-21 at 11:00 +0000, Craig Box wrote:
> Hi all,
> 
> I'm having trouble coaxing Mono to connect to Google via SSL
> (specifically to do OpenID verification).  

First things first, which version of Mono are you using ?

> Because this is a security protocol, I don't want to implement the
> "always return true" certificate checking policy in my application.
> I've imported the Mozilla root certificates, and I've tried getting
> the certificate with certmgr -ssl, but there just seems to be
> something wrong with it that Mono doesn't like.

That's the right step. In fact executing only mozroots should be enough.

> Running a0.exe (from
> http://www.mono-project.com/UsingTrustedRootsRespectfully), which just
> creates a WebRequest, I get this result:
> 
> user at host:~$ mono a0.exe https://www.google.com/accounts/o8/id
> 
> Unhandled Exception: System.Net.WebException: Error getting response
> stream (Write): SendFailure ---> System.IO.IOException: The
> authentication or decryption has failed. --->
> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received
> from server.
>   at
> Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.validateCertificates (Mono.Security.X509.X509CertificateCollection certificates) [0x00000] 
>   at
> Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.ProcessAsTls1 () [0x00000] 
>   at Mono.Security.Protocol.Tls.Handshake.HandshakeMessage.Process ()
> [0x00000] 
>   at (wrapper remoting-invoke-with-check)
> Mono.Security.Protocol.Tls.Handshake.HandshakeMessage:Process ()
>   at
> Mono.Security.Protocol.Tls.ClientRecordProtocol.ProcessHandshakeMessage (Mono.Security.Protocol.Tls.TlsStream handMsg) [0x00000] 
>   at
> Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback (IAsyncResult asyncResult) [0x00000] 
>   --- End of inner exception stack trace ---
>   at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback
> (IAsyncResult asyncResult) [0x00000] 
>   --- End of inner exception stack trace ---
>   at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult
> asyncResult) [0x00000] 
>   at System.Net.HttpWebRequest.GetResponse () [0x00000] 
>   at Program.Main (System.String[] args) [0x00000] 
>  
> 
> Running tlstest from the Security FAQ:
> 
> user at host:~$ mono tlstest.exe https://www.google.com/
> 
> https://www.google.com/
> CERTIFICATE:
>     Format:  X509
>     Name:  C=US, S=California, L=Mountain View, O=Google Inc,
> CN=www.google.com
>     Issuing CA:  C=US, O=Google Inc, CN=Google Internet Authority
>     Key Algorithm:  1.2.840.113549.1.1.1
>     Serial Number:  B30D000003009A1E6652
>     Key Alogrithm Parameters:  0500
>     Public Key:
> 30818902818100A5B4503FB81314B5E96F9A3E30DD06ECAA266EDCDE9E4ED29EEC6421E24EA10D3A221A7F15A51BAA110E49B454E66A258D10F631CE100E51B33CA0496BAE2AA463A3F8010BA89A8491CAF7690E4F367926ACD502F902FF850E5C98F23AAD62FBF7AE13914FA730F2CFCCF5698E5F80D3352A0CA5041698E8EDED99F9C9CAFE5F0203010001
> 
> 
>     Valid From:  11/12/2009 12:36:10 PM
>     Valid Until: 11/12/2010 12:46:10 PM
> 
> Error #-2146762490: CERT_E_PURPOSE 0x800B0106
> Error #-2146762486: CERT_E_CHAINING 0x800B010A
> 
> 
> Importing with certmgr:
> 
> $ certmgr -ssl https://www.google.com/
> Mono Certificate Manager - version 2.4.0.0
> Manage X.509 certificates and CRL from stores.
> Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell.
> BSD licensed.
> 
> 
>  X.509 Certificate v3
>    Issued from: C=US, O=Equifax, OU=Equifax Secure Certificate
> Authority
>    Issued to:   C=US, O=Google Inc, CN=Google Internet Authority
>    Valid from:  6/8/2009 9:43:27 PM
>    Valid until: 6/7/2013 8:43:27 PM
>    *** WARNING: Certificate signature is INVALID ***
> 
> 
> I've read https://bugzilla.novell.com/show_bug.cgi?id=545015 (CN not
> matching, being an error on Gmail).  Running tlstest on www.gmail.com
> adds another error - Error #-2146762481: CERT_E_CN_NO_MATCH 0x800B010F
> - which suggests that it might be separate from this issue.  
> If not, I probably need a newer point-release of Mono 2.4 and would
> like to know which version this fix was backported to.

Any 2.4.x version released after August 20th, 2009 (which afaik means
only 2.4.3) or 2.6[.x] will have the fix.

> If it's as simple as importing an intermediate certificate, could
> someone please help me with identifying which?  

This is not required 99% of the time - i.e. unless you're dealing with
an app/protocol that does not give you a certificate chain. 

This is not an issue with SSL/TLS. It gives you the whole chain - but
without the root certificate (which would not help anyway).

> I have tried pulling down the certificates with openssl s_client, and
> importing them with certmgr -add -c Trust. 

Never do that. Intermediate certificate should not be directly trusted.
You'll run into problems later if any of the intermediate certificates
are revoked.

Sebastien

More information about the Mono-list mailing list