csharp: System.Net.WebClient fails to verify letsencrypt SSL chains that include the expired "DST Root CA X3" certificate

Uwe Kleine-König Thu, 14 Oct 2021 01:06:13 -0700

Package: mono-csharp-shell
Version: 6.8.0.105+dfsg-3.2
Severity: normal

Hello,


        csharp -e 'new System.Net.WebClient ().DownloadString 
("https://letsencrypt.org/";)'

currently fails with a TrustFailure. The certificate that (currently) is
served there looks as follows:

Certificate chain
 0 s:CN = lencr.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3

(taken from

        openssl s_client -connect letsencrypt.org:https

). For a similar setup webserver connecting using the above commandline
succeeds when the "DST Root CA X3" certificate is taken out of the
provided chain.

I guess the ssl verifying component in mono has the same problem as
openssl < 1.1.0, i.e. the expired "DST Root CA X3" certificate makes the
verification fail even though the "ISRG Root X1" is trusted.

This breaks keepass2 when it's setup to have the password-db on a
https-secured webdav store.

Similar bug reports can be found on the net, e.g.:

        https://sourceforge.net/p/keepass/discussion/329221/thread/21747e1096/

(I don't really know about mono and so probably picked the wrong Package
to report this problem against, please reassign accordingly.)

Best regards
Uwe

-- System Information:
Debian Release: bookworm/sid
  APT prefers stable-security
  APT policy: (700, 'stable-security'), (700, 'stable-debug'), (700, 
'oldstable-updates'), (700, 'stable'), (700, 'oldstable'), (600, 'unstable'), 
(500, 'unstable-debug'), (500, 'oldstable-debug'), (500, 'oldoldstable'), (499, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf, arm64

Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages mono-csharp-shell depends on:
ii  libc6                      2.31-13
ii  libmono-corlib4.5-cil      6.8.0.105+dfsg-3.2
ii  libmono-csharp4.0c-cil     6.8.0.105+dfsg-3.2
ii  libmono-management4.0-cil  6.8.0.105+dfsg-3.2
ii  libmono-system4.0-cil      6.8.0.105+dfsg-3.2
ii  mono-runtime               6.8.0.105+dfsg-3.2

mono-csharp-shell recommends no packages.

mono-csharp-shell suggests no packages.

-- no debconf information

Bug#996447: /usr/bin/csharp: System.Net.WebClient fails to verify letsencrypt SSL chains that include the expired "DST Root CA X3" certificate

Reply via email to