Bug 27758 - Untrusted HTTP certificate detected"
Summary: Untrusted HTTP certificate detected"
Alias: None
Product: Xamarin Studio
Classification: Desktop
Component: Activation ()
Version: 5.7
Hardware: PC Mac OS
: Normal normal
Target Milestone: master
Assignee: Bugzilla
: 30701 37742 ()
Depends on:
Reported: 2015-03-08 22:05 UTC by Nat Friedman
Modified: 2017-05-18 16:09 UTC (History)
11 users (show)

Is this bug a regression?: ---
Last known good build:

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.

Please create a new report on Developer Community or GitHub with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:

Description Nat Friedman 2015-03-08 22:05:18 UTC
This popup just appeared in XS:


Version info below.

=== Xamarin Studio ===

Version 5.7.1 (build 17)
Installation UUID: 9147e1c4-fcde-4d4d-bbc4-d83ab5fe8b1b
	Mono 3.12.0 ((detached/de2f33f)
	GTK+ 2.24.23 (Raleigh theme)

	Package version: 312000076

=== Apple Developer Tools ===

Xcode 6.1.1 (6611)
Build 6A2008a

=== Xamarin.iOS ===

Version: (Enterprise Edition)
Hash: 98ee412
Build date: 2015-02-11 04:37:05-0500

=== Xamarin.Android ===

Version: (Enterprise Edition)
Android SDK: /Users/nat/Library/Developer/Xamarin/android-sdk-macosx
	Supported Android versions:
		2.1   (API level 7)
		2.2   (API level 8)
		2.3   (API level 10)
		3.1   (API level 12)
		4.0.3 (API level 15)
		4.4   (API level 19)
Java SDK: /usr
java version "1.7.0_71"
Java(TM) SE Runtime Environment (build 1.7.0_71-b14)
Java HotSpot(TM) 64-Bit Server VM (build 24.71-b01, mixed mode)

=== Xamarin.Mac ===

Version: (Enterprise Edition)

=== Build Information ===

Release ID: 507010017
Git revision: 0bc7d3550b6b088ac25b08dcf7bbe73bcc8658b3
Build date: 2015-02-03 19:43:29-05
Xamarin addins: f7b7d34419c9ec24501bfa7c658e80a6305613e0

=== Operating System ===

Mac OS X 10.10.2
Darwin Nats-MacBook-Pro.local 14.1.0 Darwin Kernel Version 14.1.0
    Mon Dec 22 23:10:38 PST 2014
    root:xnu-2782.10.72~2/RELEASE_X86_64 x86_64
Comment 1 Bojan Rajkovic [MSFT] 2015-03-08 22:11:04 UTC
FWIW, the certificate is not untrusted.

Comment 2 Nat Friedman 2015-03-08 22:14:53 UTC
Not much useful in the Ide.log:

Comment 5 Nat Friedman 2015-03-09 01:02:46 UTC
It just happened again. Logs:

INFO [2015-03-08 21:53:43Z]: Running scheduled license sync
INFO [2015-03-08 21:53:43Z]: Running license sync for Android
INFO [2015-03-08 21:53:43Z]: Running license sync for iOS
INFO [2015-03-08 21:53:43Z]: Running license sync for Mac
ERROR [2015-03-08 21:53:53Z]: Failed to update iOS license: Timeout.
ERROR [2015-03-08 21:53:53Z]: Failed to update Mac license: Timeout.
ERROR [2015-03-08 21:53:53Z]: Failed to update Android license: Timeout.
INFO [2015-03-08 21:53:58Z]: Read license: iOS Priority 2015-07-21 03:23:47Z
INFO [2015-03-08 21:53:58Z]: Read license: Mac Priority 2015-07-21 03:23:47Z
INFO [2015-03-08 21:53:58Z]: Read license: Android Priority 2015-07-21 03:23:47Z
Comment 7 Nat Friedman 2015-03-09 17:04:01 UTC
Customers talking about it on Twitter:

Comment 8 Nat Friedman 2015-03-13 13:48:49 UTC
Just happened to me again

Comment 9 Lluis Sanchez 2015-03-13 15:06:41 UTC
Sebastien, as Michael mentioned we have a hook in ServicePointManager.ServerCertificateValidationCallback that shows that dialog. Has Mono's behavior changed lately? or could this be a regression in Mono?
Comment 10 Sebastien Pouliot 2015-03-13 15:18:25 UTC
@Lluis no, the recent changes/fixes to TLS were not related to X.509 certificates. Also, on the Mac (and iOS) the trust decision is given to the OS (it's not mono code that's used). IOW it's OS X that's telling you (via the callback) that it does not know if it can trust the site (or not).

What can happen (we see this sometimes on the bots) is that the OS cannot download some part of the certificate chain (or it's CRL) and, without them, cannot tell you that the certificate is trusted. That can be a local (networking) issue or a remote one (e.g. server which has the CRL is down).

If this is used only to access known servers you might want to try "SSL pinning".
Comment 11 Lluis Sanchez 2015-03-13 15:56:54 UTC
Do you know if the reason for the OSX trust failure is logged somewhere?
Comment 12 Sebastien Pouliot 2015-03-13 16:58:48 UTC
Not that I know of - at least not in any level of detail that is helpful.

Apple API is very limited (.NET has dozens of error codes). `SecTrustEvaluate` mostly return `RecoverableTrustFailure`, which means "I don't have all the information to trust this, but if I had more I could change my mind", i.e. there's nothing wrong (like a bad signature) but nothing to prove it's ok. If there's a way to have it log more details then I do not know of it :-(

Sadly the above code is unusable to convey more information than "don't trust". E.g. an unrooted certificate would return the same - it's impossible to find anything that provide it's correct but it can't be 100% sure it's incorrect (a `FatalTrustFailure`).
Comment 13 Mikayla Hutchinson [MSFT] 2015-04-02 12:25:38 UTC
It seems that the intermediate certificate is missing on some users' machines and the server is not including it:

Comment 14 Bojan Rajkovic [MSFT] 2015-04-02 12:35:57 UTC
Re: software.xamarin.com, Jo (added to CC) handles the certificate updates for RE-related machines right now AIUI. I could be wrong, though. The intermediate cert should already be present, it might just not be served. If it's not present, contact Nick or myself on Slack and we'll send it over.

That said, the certificate for software.xamarin.com is unrelated to the one for activation.xamarin.com, which is what this bug refers to. That one is definitely serving the intermediate certificate in the chain, see https://www.dropbox.com/s/s3ba8z8ddowpy7g/Screen%20Shot%202015-04-02%20at%2012.33.14.png?dl=0 (or you can run the test yourself at https://www.ssllabs.com/ssltest/analyze.html?d=activation.xamarin.com&hideResults=on).
Comment 15 Jo Shields 2015-04-03 05:44:10 UTC
Apache on software.x.c is definitely not serving a cert chain, so I've added the missing intermediate cert. Is that better?
Comment 16 Fredy Wenger 2015-05-18 08:26:18 UTC
Same problem since a longer time from time to time (and just now).  
It would be nice, if someone from Xamarin could solve this annoying issue and would give us a feedback here...!
Comment 17 Tajinder Singh 2015-06-03 01:47:48 UTC
*** Bug 30701 has been marked as a duplicate of this bug. ***
Comment 18 Greg Munn 2016-01-19 17:56:34 UTC
*** Bug 37742 has been marked as a duplicate of this bug. ***
Comment 19 Brian Westrupp 2016-01-29 12:23:25 UTC
Just happened again after latest update today, when I restarted XS.
Comment 20 Brian Westrupp 2016-01-29 12:35:50 UTC
Sorry should have added it is - "Untrusted HTTP certificate detected.  Do you want to temporarily trust this certificate in order to connect to the server at software.xamarin.com?"

=== Xamarin Studio ===

Version 5.10.2 (build 56)
Installation UUID: e9682cde-a226-474f-9dd5-e6858c438b57
	Microsoft .NET 4.0.30319.42000
	GTK+ 2.24.23 (MS-Windows theme)
	GTK# 2.12.30

=== Xamarin.Profiler ===

Not Installed

=== Xamarin.Android ===

Version: (Indie Edition)
Android SDK: (my PC path)Android\android-sdk
	Supported Android versions:
		2.3    (API level 10)
		4.0.3  (API level 15)
		4.4    (API level 19)
		4.4.87 (API level 20)
		5.0    (API level 21)
		5.1    (API level 22)
		6.0    (API level 23)

SDK Tools Version: 24.4.1

SDK Platform Tools Version: 23.1

SDK Build Tools Version: 23.0.2

Java SDK: C:\Program Files (x86)\Java\jdk1.6.0_39
java version "1.6.0_39"
Java(TM) SE Runtime Environment (build 1.6.0_39-b04)
Java HotSpot(TM) Client VM (build 20.14-b01, mixed mode, sharing)

=== Xamarin Android Player ===

Not Installed

=== Build Information ===

Release ID: 510020056
Git revision: bb74ff467c62ded42b7b7ac7fdd2edc60f8647b0
Build date: 2016-01-26 15:49:39-05
Xamarin addins: 8b797d7ba24d5abab226c2cf9fda77f666263f1b
Build lane: monodevelop-windows-cycle6-c6sr1

=== Operating System ===

Windows 10.0.10586.0 (64-bit)
Comment 21 Lluis Sanchez 2017-05-18 16:09:51 UTC
I don't think this is happening anymore. If the issue can be reproduced again, feel free to reopen.