[Mono-list] SSL/TLS issue with Disqus.com
Daniel Lo Nigro
lists at dan.cx
Tue May 28 10:12:53 UTC 2013
https://disqus.com/api/docs/ loads fine in IE6 in a VM so I assume that
Mono should have no problems connecting to it (I doubt IE6 supports ciphers
that Mono doesn't support).
Would this problem be an issue in Mono or an issue with Disqus' server
configuration?
On Tue, May 28, 2013 at 12:47 PM, Pablo Ruiz <pablo.ruiz at gmail.com> wrote:
> Hi Sebastián,
>
> Yes, thats what seemed weird. I didn't expect mono to offer camellia as
> part of its ClientHello.. ;)
>
> Sent from my iPhone
>
> On 27/05/2013, at 21:05, Sebastien Pouliot <sebastien.pouliot at gmail.com>
> wrote:
>
> Personally I saw Camellia used by Chrome and AFAIK it's now implemented
> by OpenSSL.
>
> Anyway, like I said, it's negotiated :-) and the server chose between what
> the client offers (or refuse the connection, not the certificate).
>
> Now there can be load balancers, proxies, custom hardware/software... but
> I doubt it's the issue.
>
>
> On Mon, May 27, 2013 at 2:40 PM, Pablo Ruiz <pablo.ruiz at gmail.com> wrote:
>
>> Interesting..
>>
>> Using openssl/s_client looks like AES256.. ¿where did you get Camellia
>> 256?. Maybe they use som kind of loadbalancer and some of their real
>> servers are misconfigured?
>>
>> $ openssl.exe s_client -connect disqus.com:443
>> CONNECTED(00000003)
>> [...]
>> ---
>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>> Server public key is 2048 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>> Protocol : TLSv1
>> Cipher : DHE-RSA-AES256-SHA
>> Session-ID:
>> 29930C5A0E13DDB7507A0584F9B70BCC3C93A8193355CF2565FD044A10FA50F4
>> Session-ID-ctx:
>> Master-Key:
>> 1546D5A8E418DC50FF08C096C96A13537B043E41A350A352C7FC5A62B5E78349D1DA7F95E864982F7D537350C696728E
>> Key-Arg : None
>> Start Time: 1369679851
>> Timeout : 300 (sec)
>> Verify return code: 20 (unable to get local issuer certificate)
>>
>>
>>
>>
>> On Mon, May 27, 2013 at 5:10 PM, Joe Dluzen <jdluzen at gmail.com> wrote:
>>
>>> It appears that Disqus is using Camellia 256 CBC. I don't think Mono has
>>> a managed implementation of it, I did a quick search through the Github
>>> repo.
>>>
>>> Message: 3
>>>> Date: Mon, 27 May 2013 23:39:56 +1000
>>>> From: Daniel Lo Nigro <lists at dan.cx>
>>>> To: Alberto Le?n <leontiscar at gmail.com>
>>>> Cc: "mono-list at lists.ximian.com" <Mono-list at lists.ximian.com>
>>>> Subject: Re: [Mono-list] SSL/TLS issue with Disqus.com
>>>> Message-ID:
>>>> <
>>>> CAB1r_+VcugCbP9ggRxtft8byuGmo-OLrbEDuXSJoe+xjAFQDvg at mail.gmail.com>
>>>> Content-Type: text/plain; charset="iso-8859-1"
>>>>
>>>>
>>>> I have other apps connecting via HTTPS fine (including the Twitter API,
>>>> I
>>>> believe). I'm only having issues with Disqus.
>>>>
>>>>
>>>> On Mon, May 27, 2013 at 11:37 PM, Alberto Le?n <leontiscar at gmail.com>
>>>> wrote:
>>>>
>>>> > I find similar problem in Mono 3.0.4 in OpenSuse each time I used
>>>> > LinqToTwitter or any library that connects with https
>>>> >
>>>> > But in Debian with Mono 3.0.3 I never found this problem.
>>>> >
>>>> > I suppose is at configuration level, but I don't have idea what is
>>>> > necesary to change
>>>> >
>>>> >
>>>> > 2013/5/27 Daniel Lo Nigro <lists at dan.cx>
>>>> >
>>>> >> Hi,
>>>> >>
>>>> >> My code is trying to connect to the Disqus API (https://disqus.com/
>>>> ),
>>>> >> but I have started getting an "Invalid certificate received from
>>>> server"
>>>> >> error. I've tried running mozcerts --sync to load the latest Mozilla
>>>> >> root CAs, and connecting to other SSL/TLS works fine. I am using Mono
>>>> >> 3.0.7, but I encounter the same issue on Mono 3.0.10. Strangely,
>>>> running
>>>> >> tlstest doesn't output anything apart from the URL:
>>>> >>
>>>> >> 23:21 daniel at dan /tmp
>>>> >> % mono tlstest.exe https://disqus.com/
>>>> >>
>>>> >> https://disqus.com/
>>>> >>
>>>> >> But it works fine for other servers:
>>>> >> 23:22 daniel at dan /tmp
>>>> >> % mono tlstest.exe https://google.com/
>>>> >>
>>>> >> https://google.com/
>>>> >> [Subject]
>>>> >> CN=*.google.com, O=Google Inc, L=Mountain View, S=California, C=US
>>>> >> ...etc...
>>>> >>
>>>> >> Below is the exception I'm getting:
>>>> >> System.Net.WebException: Error getting response stream (Write: The
>>>> >> authentication or decryption has failed.): SendFailure
>>>> >> ---> System.IO.IOException: The authentication or decryption has
>>>> failed.
>>>> >> ---> Mono.Security.Protocol.Tls.TlsException: Invalid certificate
>>>> >> received from server. Error code: 0xffffffff800b010a
>>>> >> at
>>>> >>
>>>> Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.validateCertificates
>>>> >> (Mono.Security.X509.X509CertificateCollection certificates)
>>>> [0x0009b] in
>>>> >>
>>>> /usr/local/src/mono-3.0.7/mcs/class/Mono.Security/Mono.Security.Protocol.Tls.Handshake.Client/TlsServerCertificate.cs:218
>>>> >> at
>>>> >>
>>>> Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.ProcessAsTls1
>>>> >> () [0x00054] in
>>>> >>
>>>> /usr/local/src/mono-3.0.7/mcs/class/Mono.Security/Mono.Security.Protocol.Tls.Handshake.Client/TlsServerCertificate.cs:105
>>>> >> at Mono.Security.Protocol.Tls.Handshake.HandshakeMessage.Process ()
>>>> >> [0x00037] in
>>>> >>
>>>> /usr/local/src/mono-3.0.7/mcs/class/Mono.Security/Mono.Security.Protocol.Tls.Handshake/HandshakeMessage.cs:105
>>>> >> at (wrapper remoting-invoke-with-check)
>>>> >> Mono.Security.Protocol.Tls.Handshake.HandshakeMessage:Process ()
>>>> >> at
>>>> >>
>>>> Mono.Security.Protocol.Tls.ClientRecordProtocol.ProcessHandshakeMessage
>>>> >> (Mono.Security.Protocol.Tls.TlsStream handMsg) [0x00039] in
>>>> >>
>>>> /usr/local/src/mono-3.0.7/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/ClientRecordProtocol.cs:81
>>>> >> at
>>>> >>
>>>> Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback
>>>> >> (IAsyncResult asyncResult) [0x00123] in
>>>> >>
>>>> /usr/local/src/mono-3.0.7/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/RecordProtocol.cs:397
>>>> >> --- End of inner exception stack trace ---
>>>> >> at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback
>>>> >> (IAsyncResult asyncResult) [0x0002a] in
>>>> >>
>>>> /usr/local/src/mono-3.0.7/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslStreamBase.cs:100
>>>> >> --- End of inner exception stack trace ---
>>>> >> at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult
>>>> asyncResult)
>>>> >> [0x00065] in
>>>> >> /usr/local/src/mono-3.0.7/mcs/class/System/
>>>> System.Net/HttpWebRequest.cs:926
>>>> >> at System.Net.HttpWebRequest.GetResponse () [0x0000e] in
>>>> >> /usr/local/src/mono-3.0.7/mcs/class/System/
>>>> System.Net/HttpWebRequest.cs:932
>>>> >> at ServiceStack.Text.WebRequestExtensions.GetStringFromUrl
>>>> >> (System.String url, System.String acceptContentType, System.Action`1
>>>> >> responseFilter) [0x00000] in <filename unknown>:0
>>>> >> at ServiceStack.Text.WebRequestExtensions.GetJsonFromUrl
>>>> (System.String
>>>> >> url, System.Action`1 responseFilter) [0x00000] in <filename
>>>> unknown>:0
>>>> >> at Daniel15.BusinessLayer.Services.DisqusComments.Sync ()
>>>> [0x0001e] in
>>>> >> c:\Users\Daniel\Documents\Visual Studio
>>>> >>
>>>> 2010\Projects\dan.cx_dotnet\Daniel15.BusinessLayer\Services\DisqusComments.cs:58
>>>> >> at Daniel15.Cron.CronRunner.Run (System.String operation)
>>>> [0x00021] in
>>>> >> c:\Users\Daniel\Documents\Visual Studio
>>>> >> 2010\Projects\dan.cx_dotnet\Daniel15.Cron\CronRunner.cs:24
>>>> >> at Daniel15.Cron.CronRunner.Main (System.String[] args) [0x00000]
>>>> in
>>>> >> c:\Users\Daniel\Documents\Visual Studio
>>>> >> 2010\Projects\dan.cx_dotnet\Daniel15.Cron\CronRunner.cs:11
>>>> >>
>>>> >> Any ideas?
>>>> > --
>>>> > https://twitter.com/AlbertCSharpMan
>>>> > http://stackoverflow.com/users/690958/alberto-leon
>>>>
>>>
>>> _______________________________________________
>>> Mono-list maillist - Mono-list at lists.ximian.com
>>> http://lists.ximian.com/mailman/listinfo/mono-list
>>>
>>>
>>
>> _______________________________________________
>> Mono-list maillist - Mono-list at lists.ximian.com
>> http://lists.ximian.com/mailman/listinfo/mono-list
>>
>>
>
> _______________________________________________
> Mono-list maillist - Mono-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-list
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ximian.com/pipermail/mono-list/attachments/20130528/39a565a7/attachment.html>
More information about the Mono-list
mailing list