[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mono-list
Subject:    Re: [Mono-list] Connecting to Google via SSL
From:       Sebastien Pouliot <sebastien.pouliot () gmail ! com>
Date:       2009-12-22 13:17:53
Message-ID: 1261487873.3113.35.camel () mizar ! home
[Download RAW message or body]

Hello Craig,

On Mon, 2009-12-21 at 11:00 +0000, Craig Box wrote:
> Hi all,
> 
> I'm having trouble coaxing Mono to connect to Google via SSL
> (specifically to do OpenID verification).  

First things first, which version of Mono are you using ?

> Because this is a security protocol, I don't want to implement the
> "always return true" certificate checking policy in my application.
> I've imported the Mozilla root certificates, and I've tried getting
> the certificate with certmgr -ssl, but there just seems to be
> something wrong with it that Mono doesn't like.

That's the right step. In fact executing only mozroots should be enough.

> Running a0.exe (from
> http://www.mono-project.com/UsingTrustedRootsRespectfully), which just
> creates a WebRequest, I get this result:
> 
> user@host:~$ mono a0.exe https://www.google.com/accounts/o8/id
> 
> Unhandled Exception: System.Net.WebException: Error getting response
> stream (Write): SendFailure ---> System.IO.IOException: The
> authentication or decryption has failed. --->
> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received
> from server.
> at
> Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.validateCertificates \
> (Mono.Security.X509.X509CertificateCollection certificates) [0x00000]  at
> Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.ProcessAsTls1 () \
> [0x00000]  at Mono.Security.Protocol.Tls.Handshake.HandshakeMessage.Process ()
> [0x00000] 
> at (wrapper remoting-invoke-with-check)
> Mono.Security.Protocol.Tls.Handshake.HandshakeMessage:Process ()
> at
> Mono.Security.Protocol.Tls.ClientRecordProtocol.ProcessHandshakeMessage \
> (Mono.Security.Protocol.Tls.TlsStream handMsg) [0x00000]  at
> Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback \
>                 (IAsyncResult asyncResult) [0x00000] 
> --- End of inner exception stack trace ---
> at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback
> (IAsyncResult asyncResult) [0x00000] 
> --- End of inner exception stack trace ---
> at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult
> asyncResult) [0x00000] 
> at System.Net.HttpWebRequest.GetResponse () [0x00000] 
> at Program.Main (System.String[] args) [0x00000] 
> 
> 
> Running tlstest from the Security FAQ:
> 
> user@host:~$ mono tlstest.exe https://www.google.com/
> 
> https://www.google.com/
> CERTIFICATE:
> Format:  X509
> Name:  C=US, S=California, L=Mountain View, O=Google Inc,
> CN=www.google.com
> Issuing CA:  C=US, O=Google Inc, CN=Google Internet Authority
> Key Algorithm:  1.2.840.113549.1.1.1
> Serial Number:  B30D000003009A1E6652
> Key Alogrithm Parameters:  0500
> Public Key:
> 30818902818100A5B4503FB81314B5E96F9A3E30DD06ECAA266EDCDE9E4ED29EEC6421E24EA10D3A221A \
> 7F15A51BAA110E49B454E66A258D10F631CE100E51B33CA0496BAE2AA463A3F8010BA89A8491CAF7690E \
> 4F367926ACD502F902FF850E5C98F23AAD62FBF7AE13914FA730F2CFCCF5698E5F80D3352A0CA5041698E8EDED99F9C9CAFE5F0203010001
>  
> 
> Valid From:  11/12/2009 12:36:10 PM
> Valid Until: 11/12/2010 12:46:10 PM
> 
> Error #-2146762490: CERT_E_PURPOSE 0x800B0106
> Error #-2146762486: CERT_E_CHAINING 0x800B010A
> 
> 
> Importing with certmgr:
> 
> $ certmgr -ssl https://www.google.com/
> Mono Certificate Manager - version 2.4.0.0
> Manage X.509 certificates and CRL from stores.
> Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell.
> BSD licensed.
> 
> 
> X.509 Certificate v3
> Issued from: C=US, O=Equifax, OU=Equifax Secure Certificate
> Authority
> Issued to:   C=US, O=Google Inc, CN=Google Internet Authority
> Valid from:  6/8/2009 9:43:27 PM
> Valid until: 6/7/2013 8:43:27 PM
> *** WARNING: Certificate signature is INVALID ***
> 
> 
> I've read https://bugzilla.novell.com/show_bug.cgi?id=545015 (CN not
> matching, being an error on Gmail).  Running tlstest on www.gmail.com
> adds another error - Error #-2146762481: CERT_E_CN_NO_MATCH 0x800B010F
> - which suggests that it might be separate from this issue.  
> If not, I probably need a newer point-release of Mono 2.4 and would
> like to know which version this fix was backported to.

Any 2.4.x version released after August 20th, 2009 (which afaik means
only 2.4.3) or 2.6[.x] will have the fix.

> If it's as simple as importing an intermediate certificate, could
> someone please help me with identifying which?  

This is not required 99% of the time - i.e. unless you're dealing with
an app/protocol that does not give you a certificate chain. 

This is not an issue with SSL/TLS. It gives you the whole chain - but
without the root certificate (which would not help anyway).

> I have tried pulling down the certificates with openssl s_client, and
> importing them with certmgr -add -c Trust. 

Never do that. Intermediate certificate should not be directly trusted.
You'll run into problems later if any of the intermediate certificates
are revoked.

Sebastien

_______________________________________________
Mono-list maillist  -  Mono-list@lists.ximian.com
http://lists.ximian.com/mailman/listinfo/mono-list


[prev in list] [next in list] [prev in thread] [next in thread]