Hello Craig, On Mon, 2009-12-21 at 11:00 +0000, Craig Box wrote: > Hi all, > > I'm having trouble coaxing Mono to connect to Google via SSL > (specifically to do OpenID verification).
First things first, which version of Mono are you using ? > Because this is a security protocol, I don't want to implement the > "always return true" certificate checking policy in my application. > I've imported the Mozilla root certificates, and I've tried getting > the certificate with certmgr -ssl, but there just seems to be > something wrong with it that Mono doesn't like. That's the right step. In fact executing only mozroots should be enough. > Running a0.exe (from > http://www.mono-project.com/UsingTrustedRootsRespectfully), which just > creates a WebRequest, I get this result: > > u...@host:~$ mono a0.exe https://www.google.com/accounts/o8/id > > Unhandled Exception: System.Net.WebException: Error getting response > stream (Write): SendFailure ---> System.IO.IOException: The > authentication or decryption has failed. ---> > Mono.Security.Protocol.Tls.TlsException: Invalid certificate received > from server. > at > Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.validateCertificates > (Mono.Security.X509.X509CertificateCollection certificates) [0x00000] > at > Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.ProcessAsTls1 > () [0x00000] > at Mono.Security.Protocol.Tls.Handshake.HandshakeMessage.Process () > [0x00000] > at (wrapper remoting-invoke-with-check) > Mono.Security.Protocol.Tls.Handshake.HandshakeMessage:Process () > at > Mono.Security.Protocol.Tls.ClientRecordProtocol.ProcessHandshakeMessage > (Mono.Security.Protocol.Tls.TlsStream handMsg) [0x00000] > at > Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback > (IAsyncResult asyncResult) [0x00000] > --- End of inner exception stack trace --- > at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback > (IAsyncResult asyncResult) [0x00000] > --- End of inner exception stack trace --- > at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult > asyncResult) [0x00000] > at System.Net.HttpWebRequest.GetResponse () [0x00000] > at Program.Main (System.String[] args) [0x00000] > > > Running tlstest from the Security FAQ: > > u...@host:~$ mono tlstest.exe https://www.google.com/ > > https://www.google.com/ > CERTIFICATE: > Format: X509 > Name: C=US, S=California, L=Mountain View, O=Google Inc, > CN=www.google.com > Issuing CA: C=US, O=Google Inc, CN=Google Internet Authority > Key Algorithm: 1.2.840.113549.1.1.1 > Serial Number: B30D000003009A1E6652 > Key Alogrithm Parameters: 0500 > Public Key: > 30818902818100A5B4503FB81314B5E96F9A3E30DD06ECAA266EDCDE9E4ED29EEC6421E24EA10D3A221A7F15A51BAA110E49B454E66A258D10F631CE100E51B33CA0496BAE2AA463A3F8010BA89A8491CAF7690E4F367926ACD502F902FF850E5C98F23AAD62FBF7AE13914FA730F2CFCCF5698E5F80D3352A0CA5041698E8EDED99F9C9CAFE5F0203010001 > > > Valid From: 11/12/2009 12:36:10 PM > Valid Until: 11/12/2010 12:46:10 PM > > Error #-2146762490: CERT_E_PURPOSE 0x800B0106 > Error #-2146762486: CERT_E_CHAINING 0x800B010A > > > Importing with certmgr: > > $ certmgr -ssl https://www.google.com/ > Mono Certificate Manager - version 2.4.0.0 > Manage X.509 certificates and CRL from stores. > Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. > BSD licensed. > > > X.509 Certificate v3 > Issued from: C=US, O=Equifax, OU=Equifax Secure Certificate > Authority > Issued to: C=US, O=Google Inc, CN=Google Internet Authority > Valid from: 6/8/2009 9:43:27 PM > Valid until: 6/7/2013 8:43:27 PM > *** WARNING: Certificate signature is INVALID *** > > > I've read https://bugzilla.novell.com/show_bug.cgi?id=545015 (CN not > matching, being an error on Gmail). Running tlstest on www.gmail.com > adds another error - Error #-2146762481: CERT_E_CN_NO_MATCH 0x800B010F > - which suggests that it might be separate from this issue. > If not, I probably need a newer point-release of Mono 2.4 and would > like to know which version this fix was backported to. Any 2.4.x version released after August 20th, 2009 (which afaik means only 2.4.3) or 2.6[.x] will have the fix. > If it's as simple as importing an intermediate certificate, could > someone please help me with identifying which? This is not required 99% of the time - i.e. unless you're dealing with an app/protocol that does not give you a certificate chain. This is not an issue with SSL/TLS. It gives you the whole chain - but without the root certificate (which would not help anyway). > I have tried pulling down the certificates with openssl s_client, and > importing them with certmgr -add -c Trust. Never do that. Intermediate certificate should not be directly trusted. You'll run into problems later if any of the intermediate certificates are revoked. Sebastien _______________________________________________ Mono-list maillist - [email protected] http://lists.ximian.com/mailman/listinfo/mono-list
