Bug 2047 - Certificate chain incomplete in ServerCertificateValidationCallback - PartialChain Error
Summary: Certificate chain incomplete in ServerCertificateValidationCallback - Partial...
Status: RESOLVED FIXED
Alias: None
Product: Android
Classification: Xamarin
Component: BCL Class Libraries ()
Version: 1.9.2
Hardware: PC Windows
: --- normal
Target Milestone: ---
Assignee: Bugzilla
URL:
Depends on:
Blocks:
 
Reported: 2011-11-16 03:33 UTC by Dominik Schmidt
Modified: 2012-12-02 10:38 UTC (History)
2 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on Developer Community or GitHub with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED FIXED

Description Dominik Schmidt 2011-11-16 03:33:09 UTC
Hi support, 

we found a problem while using a web service (.net 2.0 Web reference) with SSL. We use a ServicePointManager.ServerCertificateValidationCallback for validating the server certificates.

In normal opperation our server sends a certificate chain like this: 
> CN=Fujitsu Technology Solutions Root CA
--> CN=Fujitsu Technology Solutions User CA
----> CN=pxxxxxix.xxx.fsc.net, OU=xxxxxxxx

CN=pxxxxxix.xxx.fsc.net, OU=xxxxxxxx is the server certificate and has the issuer "CN=Fujitsu Technology Solutions User CA". 
User CA has the issuer "CN=Fujitsu Technology Solutions Root CA"

We wrote a windows console app to test the Certificate Validation Callback. The Root CA and User CA where not part of the local certificate store!

We used this methode to check the X509Chain: 
public static bool CertificateValidationCallBack(
   object sender,
   X509Certificate certificate,
   X509Chain chain,
   SslPolicyErrors sslPolicyErrors)
{
						   
	try
	{
		foreach (X509ChainElement element in chain.ChainElements)
		{
			Console.WriteLine("\nElement issuer name            : {0}", element.Certificate.Issuer);
			Console.WriteLine("Certificate SubjectName        : {0}", element.Certificate.SubjectName.Name);
		}
	}
	catch (Exception ex)
	{
		Console.WriteLine(@"Cert Error" + ex.Message);
	}

    return true;
}


The result is something like this: 

Element issuer name            : CN=Fujitsu Technology Solutions User CA
Certificate SubjectName        : CN=pxxxxxix.xxx.fsc.net, OU=xxxxxxxx

Element issuer name            : CN=Fujitsu Technology Solutions Root CA
Certificate SubjectName        : CN=Fujitsu Technology Solutions User CA

Element issuer name            : CN=Fujitsu Technology Solutions Root CA
Certificate SubjectName        : CN=Fujitsu Technology Solutions Root CA



Now we tested the same methode on MonoAndroid. And we got this result: 

Element issuer name            : CN=Fujitsu Technology Solutions User CA
Certificate SubjectName        : CN=pxxxxxix.xxx.fsc.net, OU=xxxxxxxx


As you can see the certificate chain is incomplete!
And as result we getting a chain error : PartialChain. 

The next step was trying the stuff with Mono directly. So we created a new project in Mono / CentOS6. We used the same web service and the same callback as above. 

We tested the resulting application on CentOS and got this result: 

[root@CentOS6 Debug]# mono ./ZertCheck.exe 
Element issuer name            : CN=Fujitsu Technology Solutions User CA
Certificate SubjectName        : CN=pxxxxxix.xxx.fsc.net, OU=xxxxxxxx



The same (!!) Mono executable on Windows brings this result: 

Element issuer name            : CN=Fujitsu Technology Solutions User CA
Certificate SubjectName        : CN=pxxxxxix.xxx.fsc.net, OU=xxxxxxxx

Element issuer name            : CN=Fujitsu Technology Solutions Root CA
Certificate SubjectName        : CN=Fujitsu Technology Solutions User CA

Element issuer name            : CN=Fujitsu Technology Solutions Root CA
Certificate SubjectName        : CN=Fujitsu Technology Solutions Root CA


It seems to us that there is a general bug in the SSL lib. Maybe it´s a problem in the ServicePointManager implementation on Mono?

We hope you can fix this annoying bug which cost us about two days of debugging!
Since SSL is a must for our application it´s a big blocking point at the moment in using MonoAndroid. 

If I can assist you finding the bug please let me know what I can do. It´s also possible to establish an online screen session if you like. 

Hope on any fix. 

Dominik Schmidt
IC Consultant
FUJITSU
Comment 1 Dominik Schmidt 2011-11-16 08:38:16 UTC
Hi Support, 

I solved the problem.

MonoAndroid needs to import the Root certificate. 
I found a good description here: 
http://www.zachtronicsindustries.com/dev-post-x-509-certificates-in-mono/

And some usefull information here: 
http://www.mono-project.com/UsingTrustedRootsRespectfully

Best regards
  Dominik Schmidt