[Mono-list] Problem with mono and HtttpWebRequest (ssl)
Edward Ned Harvey (mono)
edward.harvey.mono at clevertrove.com
Tue Jun 16 13:13:10 UTC 2015
> From: mono-list-bounces at lists.ximian.com [mailto:mono-list-
> bounces at lists.ximian.com] On Behalf Of Edward Ned Harvey (mono)
>
> Try using these guys on your company server, and see what they say. If you
> have a broken server SSL configuration, they'll expose it for you.
> https://www.ssllabs.com/ssltest/index.html
Oh, sorry - I just saw that you already did that. And also helpful, in the SSLLabs report, it says your hostname, www.mars-solutions.de, and also helpful, when I repeat my test run, connecting to *your* company server, I get the exception just like you. Exception in mono only, not in windows.
The most obvious explanation would be if the server cert (or chain) used Elliptic Curve, which isn't supported by mono - so I looked for that, but I didn't see any reason to suspect it. I didn't look *exhaustively* so I could be wrong (need to check the server cert, the chain, and root), but at a quick glance, I don't think you're bumping into an EC problem.
I noticed, on the SSLLabs report, every single client handshake negotiated ECDHE, which isn't supported by mono. So maybe your server has disabled protocols that don't use ECDHE?
Mono only supports up to TLS 1.0, but I noticed in SSLLabs, that your server *does* support TLS1.0, so that's good.
The next most obvious thing to check for would be to ensure the CA root is trusted - I know it's Comodo, and seems like it's common and should be expected to be trusted, but perhaps Comodo pushed out a new cert that just hasn't propagated down through Mozilla yet. It'll take a little bit of effort to scan through ~/.config/.mono/certs (or the equivalent system directory) and ensure the root CA is present.
My best guess is that your server doesn't support below ECDHE.
They are working on pulling the Microsoft code into the mono TLS stack, which will solve lots of problems, but I don't know how soon it will be ready. Could it be years away still? Don't know.
More information about the Mono-list
mailing list