Hi all, I'm having trouble coaxing Mono to connect to Google via SSL (specifically to do OpenID verification). Because this is a security protocol, I don't want to implement the "always return true" certificate checking policy in my application. I've imported the Mozilla root certificates, and I've tried getting the certificate with certmgr -ssl, but there just seems to be something wrong with it that Mono doesn't like.
Running a0.exe (from http://www.mono-project.com/UsingTrustedRootsRespectfully), which just creates a WebRequest, I get this result: u...@host:~$ mono a0.exe https://www.google.com/accounts/o8/id Unhandled Exception: System.Net.WebException: Error getting response stream (Write): SendFailure ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received from server. at Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.validateCertificates (Mono.Security.X509.X509CertificateCollection certificates) [0x00000] at Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.ProcessAsTls1 () [0x00000] at Mono.Security.Protocol.Tls.Handshake.HandshakeMessage.Process () [0x00000] at (wrapper remoting-invoke-with-check) Mono.Security.Protocol.Tls.Handshake.HandshakeMessage:Process () at Mono.Security.Protocol.Tls.ClientRecordProtocol.ProcessHandshakeMessage (Mono.Security.Protocol.Tls.TlsStream handMsg) [0x00000] at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback (IAsyncResult asyncResult) [0x00000] --- End of inner exception stack trace --- at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] --- End of inner exception stack trace --- at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult) [0x00000] at System.Net.HttpWebRequest.GetResponse () [0x00000] at Program.Main (System.String[] args) [0x00000] Running tlstest from the Security FAQ: u...@host:~$ mono tlstest.exe https://www.google.com/ https://www.google.com/ CERTIFICATE: Format: X509 Name: C=US, S=California, L=Mountain View, O=Google Inc, CN= www.google.com Issuing CA: C=US, O=Google Inc, CN=Google Internet Authority Key Algorithm: 1.2.840.113549.1.1.1 Serial Number: B30D000003009A1E6652 Key Alogrithm Parameters: 0500 Public Key: 30818902818100A5B4503FB81314B5E96F9A3E30DD06ECAA266EDCDE9E4ED29EEC6421E24EA10D3A221A7F15A51BAA110E49B454E66A258D10F631CE100E51B33CA0496BAE2AA463A3F8010BA89A8491CAF7690E4F367926ACD502F902FF850E5C98F23AAD62FBF7AE13914FA730F2CFCCF5698E5F80D3352A0CA5041698E8EDED99F9C9CAFE5F0203010001 Valid From: 11/12/2009 12:36:10 PM Valid Until: 11/12/2010 12:46:10 PM Error #-2146762490: CERT_E_PURPOSE 0x800B0106 Error #-2146762486: CERT_E_CHAINING 0x800B010A Importing with certmgr: $ certmgr -ssl https://www.google.com/ Mono Certificate Manager - version 2.4.0.0 Manage X.509 certificates and CRL from stores. Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed. X.509 Certificate v3 Issued from: C=US, O=Equifax, OU=Equifax Secure Certificate Authority Issued to: C=US, O=Google Inc, CN=Google Internet Authority Valid from: 6/8/2009 9:43:27 PM Valid until: 6/7/2013 8:43:27 PM *** WARNING: Certificate signature is INVALID *** I've read https://bugzilla.novell.com/show_bug.cgi?id=545015 (CN not matching, being an error on Gmail). Running tlstest on www.gmail.com adds another error - Error #-2146762481: CERT_E_CN_NO_MATCH 0x800B010F - which suggests that it might be separate from this issue. If not, I probably need a newer point-release of Mono 2.4 and would like to know which version this fix was backported to. If it's as simple as importing an intermediate certificate, could someone please help me with identifying which? I have tried pulling down the certificates with openssl s_client, and importing them with certmgr -add -c Trust. Regards Craig
_______________________________________________ Mono-list maillist - [email protected] http://lists.ximian.com/mailman/listinfo/mono-list
