Bug 26235 - SslStream fails to send client certificate when userCertificateSelectionCallback is null
Summary: SslStream fails to send client certificate when userCertificateSelectionCallb...
Status: RESOLVED DUPLICATE of bug 29437
Alias: None
Product: Class Libraries
Classification: Mono
Component: Mono.Security ()
Version: 3.12.0
Hardware: PC Linux
: --- normal
Target Milestone: Untriaged
Assignee: Bugzilla
URL:
Depends on:
Blocks:
 
Reported: 2015-01-21 09:54 UTC by lihalla
Modified: 2015-04-27 13:51 UTC (History)
3 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:


Attachments
Test program (2.89 KB, text/plain)
2015-01-21 09:54 UTC, lihalla
Details
Self signed certificate for testing (1.46 KB, application/octet-stream)
2015-01-21 09:55 UTC, lihalla
Details


Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on GitHub or Developer Community with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED DUPLICATE of bug 29437

Description lihalla 2015-01-21 09:54:04 UTC
Created attachment 9435 [details]
Test program

Mono SslStream doesn't send a client certificate when there is no userCertificateSelectionCallback specified, i.e. when it is constructed with

public SslStream(
	Stream innerStream,
	bool leaveInnerStreamOpen,
	RemoteCertificateValidationCallback userCertificateValidationCallback
)

Attached is a test case that creates SslStream for client and server. If any argument is passed to the program on command line then client SslStream will be constructed with the callback, otherwise without it. Output on Windows without Mono installed is:

$ ./SslTest.exe
Authenticating as a client
Authenticating as a server
Validating client certificate with hash C17D0EA92219015CC0F6F39A6E1A50879AB12E50
Server authenticated
Validating server certificate with hash C17D0EA92219015CC0F6F39A6E1A50879AB12E50
Client authenticated

$ ./SslTest.exe 1
Authenticating as a client
Authenticating as a server
Validating client certificate with hash C17D0EA92219015CC0F6F39A6E1A50879AB12E50
Server authenticated
Validating server certificate with hash C17D0EA92219015CC0F6F39A6E1A50879AB12E50
Client authenticated


But the program fails on Linux with Mono 3.12.0-0xamarin3:

$ mono --debug SslTest.exe 
Authenticating as a client
Authenticating as a server
Validating server certificate with hash C17D0EA92219015CC0F6F39A6E1A50879AB12E50
Exception occured in server: System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: The authentication or decryption has failed.
  at Mono.Security.Protocol.Tls.Handshake.Server.TlsClientCertificate.ProcessAsTls1 () [0x00000] in <filename unknown>:0 
  at Mono.Security.Protocol.Tls.Handshake.HandshakeMessage.Process () [0x00000] in <filename unknown>:0 
  at (wrapper remoting-invoke-with-check) Mono.Security.Protocol.Tls.Handshake.HandshakeMessage:Process ()
  at Mono.Security.Protocol.Tls.ServerRecordProtocol.ProcessHandshakeMessage (Mono.Security.Protocol.Tls.TlsStream handMsg) [0x00000] in <filename unknown>:0 
  at Mono.Security.Protocol.Tls.RecordProtocol.ReceiveRecord (System.IO.Stream record) [0x00000] in <filename unknown>:0 
  at Mono.Security.Protocol.Tls.SslServerStream.EndNegotiateHandshake (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 
  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 
  --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 
Exception occured in client System.IO.IOException: The authentication or decryption has failed. ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: The server stopped the handshake.
  at Mono.Security.Protocol.Tls.SslClientStream.SafeEndReceiveRecord (IAsyncResult ar, Boolean ignoreEmpty) [0x00000] in <filename unknown>:0 
  at Mono.Security.Protocol.Tls.SslClientStream.NegotiateAsyncWorker (IAsyncResult result) [0x00000] in <filename unknown>:0 
  --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslClientStream.EndNegotiateHandshake (IAsyncResult result) [0x00000] in <filename unknown>:0 
  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 
  --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 

and succeeds with the certificate selection callback:

$ mono --debug SslTest.exe 1
Authenticating as a client
Authenticating as a server
Validating server certificate with hash C17D0EA92219015CC0F6F39A6E1A50879AB12E50
Validating client certificate with hash C17D0EA92219015CC0F6F39A6E1A50879AB12E50
Server authenticated
Client authenticated


The test program assumes that there exists a certificate "test.pfx" in the current directory.

This bug affects Npgsql 2.2.0 when trying to connect to a postgresql server using client certificate authentication and SslStream instead of SslClientStream. The server responds with "connection requires a valid client certificate" which means that no certificate was received by the server. While there is a way to login to the server with ssl certificate, it uses callbacks that are now obsolete in NpgsqlConnection class.
Comment 1 lihalla 2015-01-21 09:55:34 UTC
Created attachment 9436 [details]
Self signed certificate for testing

Added some self signed certificate for testing purposes.
Comment 2 Martin Baulig 2015-04-27 13:51:22 UTC

*** This bug has been marked as a duplicate of bug 29437 ***