[Mono-list] SSL/TLS issue with Disqus.com
Pablo Ruiz
pablo.ruiz at gmail.com
Tue May 28 02:47:35 UTC 2013
Hi Sebastián,
Yes, thats what seemed weird. I didn't expect mono to offer camellia as
part of its ClientHello.. ;)
Sent from my iPhone
On 27/05/2013, at 21:05, Sebastien Pouliot <sebastien.pouliot at gmail.com>
wrote:
Personally I saw Camellia used by Chrome and AFAIK it's now implemented by
OpenSSL.
Anyway, like I said, it's negotiated :-) and the server chose between what
the client offers (or refuse the connection, not the certificate).
Now there can be load balancers, proxies, custom hardware/software... but I
doubt it's the issue.
On Mon, May 27, 2013 at 2:40 PM, Pablo Ruiz <pablo.ruiz at gmail.com> wrote:
> Interesting..
>
> Using openssl/s_client looks like AES256.. ¿where did you get Camellia
> 256?. Maybe they use som kind of loadbalancer and some of their real
> servers are misconfigured?
>
> $ openssl.exe s_client -connect disqus.com:443
> CONNECTED(00000003)
> [...]
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> Session-ID:
> 29930C5A0E13DDB7507A0584F9B70BCC3C93A8193355CF2565FD044A10FA50F4
> Session-ID-ctx:
> Master-Key:
> 1546D5A8E418DC50FF08C096C96A13537B043E41A350A352C7FC5A62B5E78349D1DA7F95E864982F7D537350C696728E
> Key-Arg : None
> Start Time: 1369679851
> Timeout : 300 (sec)
> Verify return code: 20 (unable to get local issuer certificate)
>
>
>
>
> On Mon, May 27, 2013 at 5:10 PM, Joe Dluzen <jdluzen at gmail.com> wrote:
>
>> It appears that Disqus is using Camellia 256 CBC. I don't think Mono has
>> a managed implementation of it, I did a quick search through the Github
>> repo.
>>
>> Message: 3
>>> Date: Mon, 27 May 2013 23:39:56 +1000
>>> From: Daniel Lo Nigro <lists at dan.cx>
>>> To: Alberto Le?n <leontiscar at gmail.com>
>>> Cc: "mono-list at lists.ximian.com" <Mono-list at lists.ximian.com>
>>> Subject: Re: [Mono-list] SSL/TLS issue with Disqus.com
>>> Message-ID:
>>> <
>>> CAB1r_+VcugCbP9ggRxtft8byuGmo-OLrbEDuXSJoe+xjAFQDvg at mail.gmail.com>
>>> Content-Type: text/plain; charset="iso-8859-1"
>>>
>>>
>>> I have other apps connecting via HTTPS fine (including the Twitter API, I
>>> believe). I'm only having issues with Disqus.
>>>
>>>
>>> On Mon, May 27, 2013 at 11:37 PM, Alberto Le?n <leontiscar at gmail.com>
>>> wrote:
>>>
>>> > I find similar problem in Mono 3.0.4 in OpenSuse each time I used
>>> > LinqToTwitter or any library that connects with https
>>> >
>>> > But in Debian with Mono 3.0.3 I never found this problem.
>>> >
>>> > I suppose is at configuration level, but I don't have idea what is
>>> > necesary to change
>>> >
>>> >
>>> > 2013/5/27 Daniel Lo Nigro <lists at dan.cx>
>>> >
>>> >> Hi,
>>> >>
>>> >> My code is trying to connect to the Disqus API (https://disqus.com/),
>>> >> but I have started getting an "Invalid certificate received from
>>> server"
>>> >> error. I've tried running mozcerts --sync to load the latest Mozilla
>>> >> root CAs, and connecting to other SSL/TLS works fine. I am using Mono
>>> >> 3.0.7, but I encounter the same issue on Mono 3.0.10. Strangely,
>>> running
>>> >> tlstest doesn't output anything apart from the URL:
>>> >>
>>> >> 23:21 daniel at dan /tmp
>>> >> % mono tlstest.exe https://disqus.com/
>>> >>
>>> >> https://disqus.com/
>>> >>
>>> >> But it works fine for other servers:
>>> >> 23:22 daniel at dan /tmp
>>> >> % mono tlstest.exe https://google.com/
>>> >>
>>> >> https://google.com/
>>> >> [Subject]
>>> >> CN=*.google.com, O=Google Inc, L=Mountain View, S=California, C=US
>>> >> ...etc...
>>> >>
>>> >> Below is the exception I'm getting:
>>> >> System.Net.WebException: Error getting response stream (Write: The
>>> >> authentication or decryption has failed.): SendFailure
>>> >> ---> System.IO.IOException: The authentication or decryption has
>>> failed.
>>> >> ---> Mono.Security.Protocol.Tls.TlsException: Invalid certificate
>>> >> received from server. Error code: 0xffffffff800b010a
>>> >> at
>>> >>
>>> Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.validateCertificates
>>> >> (Mono.Security.X509.X509CertificateCollection certificates) [0x0009b]
>>> in
>>> >>
>>> /usr/local/src/mono-3.0.7/mcs/class/Mono.Security/Mono.Security.Protocol.Tls.Handshake.Client/TlsServerCertificate.cs:218
>>> >> at
>>> >>
>>> Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.ProcessAsTls1
>>> >> () [0x00054] in
>>> >>
>>> /usr/local/src/mono-3.0.7/mcs/class/Mono.Security/Mono.Security.Protocol.Tls.Handshake.Client/TlsServerCertificate.cs:105
>>> >> at Mono.Security.Protocol.Tls.Handshake.HandshakeMessage.Process ()
>>> >> [0x00037] in
>>> >>
>>> /usr/local/src/mono-3.0.7/mcs/class/Mono.Security/Mono.Security.Protocol.Tls.Handshake/HandshakeMessage.cs:105
>>> >> at (wrapper remoting-invoke-with-check)
>>> >> Mono.Security.Protocol.Tls.Handshake.HandshakeMessage:Process ()
>>> >> at
>>> >>
>>> Mono.Security.Protocol.Tls.ClientRecordProtocol.ProcessHandshakeMessage
>>> >> (Mono.Security.Protocol.Tls.TlsStream handMsg) [0x00039] in
>>> >>
>>> /usr/local/src/mono-3.0.7/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/ClientRecordProtocol.cs:81
>>> >> at
>>> >>
>>> Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback
>>> >> (IAsyncResult asyncResult) [0x00123] in
>>> >>
>>> /usr/local/src/mono-3.0.7/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/RecordProtocol.cs:397
>>> >> --- End of inner exception stack trace ---
>>> >> at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback
>>> >> (IAsyncResult asyncResult) [0x0002a] in
>>> >>
>>> /usr/local/src/mono-3.0.7/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslStreamBase.cs:100
>>> >> --- End of inner exception stack trace ---
>>> >> at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult
>>> asyncResult)
>>> >> [0x00065] in
>>> >> /usr/local/src/mono-3.0.7/mcs/class/System/
>>> System.Net/HttpWebRequest.cs:926
>>> >> at System.Net.HttpWebRequest.GetResponse () [0x0000e] in
>>> >> /usr/local/src/mono-3.0.7/mcs/class/System/
>>> System.Net/HttpWebRequest.cs:932
>>> >> at ServiceStack.Text.WebRequestExtensions.GetStringFromUrl
>>> >> (System.String url, System.String acceptContentType, System.Action`1
>>> >> responseFilter) [0x00000] in <filename unknown>:0
>>> >> at ServiceStack.Text.WebRequestExtensions.GetJsonFromUrl
>>> (System.String
>>> >> url, System.Action`1 responseFilter) [0x00000] in <filename unknown>:0
>>> >> at Daniel15.BusinessLayer.Services.DisqusComments.Sync () [0x0001e]
>>> in
>>> >> c:\Users\Daniel\Documents\Visual Studio
>>> >>
>>> 2010\Projects\dan.cx_dotnet\Daniel15.BusinessLayer\Services\DisqusComments.cs:58
>>> >> at Daniel15.Cron.CronRunner.Run (System.String operation) [0x00021]
>>> in
>>> >> c:\Users\Daniel\Documents\Visual Studio
>>> >> 2010\Projects\dan.cx_dotnet\Daniel15.Cron\CronRunner.cs:24
>>> >> at Daniel15.Cron.CronRunner.Main (System.String[] args) [0x00000] in
>>> >> c:\Users\Daniel\Documents\Visual Studio
>>> >> 2010\Projects\dan.cx_dotnet\Daniel15.Cron\CronRunner.cs:11
>>> >>
>>> >> Any ideas?
>>> > --
>>> > https://twitter.com/AlbertCSharpMan
>>> > http://stackoverflow.com/users/690958/alberto-leon
>>>
>>
>> _______________________________________________
>> Mono-list maillist - Mono-list at lists.ximian.com
>> http://lists.ximian.com/mailman/listinfo/mono-list
>>
>>
>
> _______________________________________________
> Mono-list maillist - Mono-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-list
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ximian.com/pipermail/mono-list/attachments/20130528/f6a0eba6/attachment-0001.html>
More information about the Mono-list
mailing list