Bug #640
Validation of certificates always fail
| Status: | New | Start: | 11/01/2011 | |
| Priority: | Normal | Due date: | ||
| Assigned to: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - | |||
| Complexity: | Found in Version: | |||
| Votes: | 0 |
Description
When connecting to IRC or XMPP servers the certificate validation always fails even when importing their CA and the certificate itself into Mono's certificate storage using the certmgr utility:
openssl x509 -in /etc/ssl/certs/Equifax_Secure_CA.pem -out Equifax_Secure_CA.crt -outform der certmgr -add -c CA Equifax_Secure_CA.crt
certmgr -list -c CA Mono Certificate Manager - version 2.6.7.0 Manage X.509 certificates and CRL from stores. Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed. Self-signed X.509 v3 Certificate Serial Number: CFF4DE35 Issuer Name: C=US, O=Equifax, OU=Equifax Secure Certificate Authority Subject Name: C=US, O=Equifax, OU=Equifax Secure Certificate Authority Valid From: 8/22/1998 6:41:51 PM Valid Until: 8/22/2018 6:41:51 PM Unique Hash: FFA3AC0084DA1673B5A031EBB2156B3E8FBBF6D8
2011-11-01 12:11:07,831 [-289690768] ERROR Smuxi.Engine.XmppProtocolManager - OnError(): Exception System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received from server. at Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.validateCertificates (Mono.Security.X509.X509CertificateCollection certificates) [0x0026f] in /tmp/buildd/mono-2.6.7/mcs/class/Mono.Security/Mono.Security.Protocol.Tls.Handshake.Client/TlsServerCertificate.cs:323 at Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.ProcessAsTls1 () [0x00054] in /tmp/buildd/mono-2.6.7/mcs/class/Mono.Security/Mono.Security.Protocol.Tls.Handshake.Client/TlsServerCertificate.cs:105 at Mono.Security.Protocol.Tls.Handshake.HandshakeMessage.Process () [0x00037] in /tmp/buildd/mono-2.6.7/mcs/class/Mono.Security/Mono.Security.Protocol.Tls.Handshake/HandshakeMessage.cs:105 at (wrapper remoting-invoke-with-check) Mono.Security.Protocol.Tls.Handshake.HandshakeMessage:Process () at Mono.Security.Protocol.Tls.ClientRecordProtocol.ProcessHandshakeMessage (Mono.Security.Protocol.Tls.TlsStream handMsg) [0x00039] in /tmp/buildd/mono-2.6.7/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/ClientRecordProtocol.cs:81 at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback (IAsyncResult asyncResult) [0x00127] in /tmp/buildd/mono-2.6.7/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/RecordProtocol.cs:397 --- End of inner exception stack trace --- at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x0002a] in /tmp/buildd/mono-2.6.7/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslStreamBase.cs:102
Related issues
| related to Smuxi - Bug #545 | Connecting to irc.tinfoilnet.nu with SSL fails | New | 11/08/2010 |
History
Updated by Mirco Bauer 566 days ago
Certificates can be checked using the Mono tlstest tool found here:
https://github.com/mono/mono/blob/master/mcs/class/Mono.Security/Test/tools/tlstest/tlstest.cs
Updated by Mirco Bauer 566 days ago
wget https://raw.github.com/mono/mono/master/mcs/class/Mono.Security/Test/tools/tlstest/tlstest.cs gmcs tlstest.cs -r:Mono.Security
certmgr --ssl https://talk.google.com Mono Certificate Manager - version 2.6.7.0 Manage X.509 certificates and CRL from stores. Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed. X.509 Certificate v3 Issued from: C=US, O=Equifax, OU=Equifax Secure Certificate Authority Issued to: C=US, S=California, L=Mountain View, O=Google Inc., CN=talk.google.com Valid from: 4/11/2007 7:20:16 PM Valid until: 4/10/2012 7:20:16 PM This certificate is already in the AddressBook store. No certificate were added to the stores.
./tlstest.exe --tls https://talk.google.com
https://talk.google.com
[Subject]
CN=talk.google.com, O=Google Inc., L=Mountain View, S=California, C=US
[Issuer]
OU=Equifax Secure Certificate Authority, O=Equifax, C=US
[Not Before]
4/11/2007 7:20:16 PM
[Not After]
4/10/2012 7:20:16 PM
[Thumbprint]
953FBE4D549B7E700EC14782C68CD09F9B512BCE
Valid From: 4/11/2007 7:20:16 PM
Valid Until: 4/10/2012 7:20:16 PM
Error #-2146762486: CERT_E_CHAINING 0x800B010A
Updated by Mirco Bauer 562 days ago
On Mono 2.10.5 the same issue happens:
meebey@redhorse:~$ openssl x509 -in /etc/ssl/certs/Equifax_Secure_CA.pem -out Equifax_Secure_CA.crt -outform der meebey@redhorse:~$ certmgr -add -c CA Equifax_Secure_CA.crt Mono Certificate Manager - version 2.10.5.0 Manage X.509 certificates and CRL from stores. Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed. 1 certificate(s) added to store CA.
meebey@redhorse:~/tmp$ wget https://raw.github.com/mono/mono/master/mcs/class/Mono.Security/Test/tools/tlstest/tlstest.cs
--2011-11-05 17:51:01-- https://raw.github.com/mono/mono/master/mcs/class/Mono.Security/Test/tools/tlstest/tlstest.cs
Resolving raw.github.com (raw.github.com)... 207.97.227.243
Connecting to raw.github.com (raw.github.com)|207.97.227.243|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9475 (9.3K) [text/plain]
Saving to: `tlstest.cs'
100%[=================================================================================================>] 9,475 --.-K/s in 0s
2011-11-05 17:51:07 (93.5 MB/s) - `tlstest.cs' saved [9475/9475]
meebey@redhorse:~/tmp$ gmcs tlstest.cs -r:Mono.Security
tlstest.cs(172,37): warning CS0618: `System.Net.ServicePointManager.CertificatePolicy' is obsolete: `Use ServerCertificateValidationCallback instead'
tlstest.cs(201,40): warning CS0618: `System.Net.Dns.Resolve(string)' is obsolete: `Use GetHostEntry instead'
Compilation succeeded - 2 warning(s)
meebey@redhorse:~/tmp$ certmgr --ssl https://talk.google.com
Mono Certificate Manager - version 2.10.5.0
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.
X.509 Certificate v3
Issued from: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
Issued to: C=US, S=California, L=Mountain View, O=Google Inc., CN=talk.google.com
Valid from: 4/11/2007 5:20:16 PM
Valid until: 4/10/2012 5:20:16 PM
Import this certificate into the AddressBook store ?y
1 certificate added to the stores.
meebey@redhorse:~/tmp$ certmgr --ssl https://talk.google.com
Mono Certificate Manager - version 2.10.5.0
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.
X.509 Certificate v3
Issued from: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
Issued to: C=US, S=California, L=Mountain View, O=Google Inc., CN=talk.google.com
Valid from: 4/11/2007 5:20:16 PM
Valid until: 4/10/2012 5:20:16 PM
This certificate is already in the AddressBook store.
No certificate were added to the stores.
meebey@redhorse:~/tmp$ certmgr -list -c CA
Mono Certificate Manager - version 2.10.5.0
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.
Self-signed X.509 v3 Certificate
Serial Number: CFF4DE35
Issuer Name: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
Subject Name: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
Valid From: 8/22/1998 4:41:51 PM
Valid Until: 8/22/2018 4:41:51 PM
Unique Hash: FFA3AC0084DA1673B5A031EBB2156B3E8FBBF6D8
meebey@redhorse:~/tmp$ certmgr -list -c My
Mono Certificate Manager - version 2.10.5.0
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.
meebey@redhorse:~/tmp$ ./tlstest.exe --tls https://talk.google.com
https://talk.google.com
[Subject]
CN=talk.google.com, O=Google Inc., L=Mountain View, S=California, C=US
[Issuer]
OU=Equifax Secure Certificate Authority, O=Equifax, C=US
[Not Before]
4/11/2007 7:20:16 PM
[Not After]
4/10/2012 7:20:16 PM
[Thumbprint]
953FBE4D549B7E700EC14782C68CD09F9B512BCE
Valid From: 4/11/2007 7:20:16 PM
Valid Until: 4/10/2012 7:20:16 PM
Error #-2146762486: CERT_E_CHAINING 0x800B010A
Updated by Mirco Bauer 126 days ago
Here some useful SSL debugging commands:
gnutls-cli -V irc.oftc.net --port 6697 --crlf --x509cafile /etc/ssl/certs/ca-certificates.crt
openssl s_client -showcerts -host irc.oftc.net -port 6697 -CApath /etc/ssl/certs