Bug 37966 - SslStream.AuthenticateAsClient() fails with smtp.gmail.com
Summary: SslStream.AuthenticateAsClient() fails with smtp.gmail.com
Status: RESOLVED FIXED
Alias: None
Product: Class Libraries
Classification: Mono
Component: Mono.Security ()
Version: 4.2.0 (C6)
Hardware: PC Mac OS
: --- normal
Target Milestone: Untriaged
Assignee: Martin Baulig
URL:
Depends on:
Blocks:
 
Reported: 2016-01-24 13:51 UTC by Jeffrey Stedfast
Modified: 2016-11-11 09:25 UTC (History)
1 user (show)

Tags:
Is this bug a regression?: ---
Last known good build:


Attachments
ssl-cert-validate.cs (896 bytes, text/plain)
2016-01-24 13:56 UTC, Jeffrey Stedfast
Details


Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on GitHub or Developer Community with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED FIXED

Description Jeffrey Stedfast 2016-01-24 13:51:53 UTC
This works on Microsoft's .NET runtime but fails on Mono v4.2.1:

using System.Net.Sockets;
using System.Net.Security;
using System.Security.Authentication;
using System.Security.Cryptography.X509Certificates;

namespace SslCertificateValidationTest
{
	class Program
	{
		static void Main (string[] args)
		{
			var socket = new Socket (AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);

			socket.Connect ("smtp.gmail.com", 465);

			using (var ssl = new SslStream (new NetworkStream (socket, true), false, ValidateRemoteCertificate)) {
				ssl.AuthenticateAsClient ("smtp.gmail.com", null, SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12, true);
			}
			
		}

		static bool ValidateRemoteCertificate (object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
		{
			return sslPolicyErrors == SslPolicyErrors.None;
		}
	}
}

The Mono exception is:

System.IO.IOException: The authentication or decryption has failed. ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received from server.
  at Mono.Security.Protocol.Tls.RecordProtocol.EndReceiveRecord (IAsyncResult asyncResult) <0x29af4c8 + 0x000e3> in <filename unknown>:0 
  at Mono.Security.Protocol.Tls.SslClientStream.SafeEndReceiveRecord (IAsyncResult ar, Boolean ignoreEmpty) <0x29af420 + 0x0001f> in <filename unknown>:0 
  at Mono.Security.Protocol.Tls.SslClientStream.NegotiateAsyncWorker (IAsyncResult result) <0x29aae48 + 0x0019b> in <filename unknown>:0 
  --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslClientStream.EndNegotiateHandshake (IAsyncResult result) <0x29cd6c8 + 0x000ab> in <filename unknown>:0 
  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) <0x29cd4d8 + 0x0005f> in <filename unknown>:0 
  --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslStreamBase.EndRead (IAsyncResult asyncResult) <0x2988e28 + 0x00133> in <filename unknown>:0 
  at System.Net.Security.SslStream.EndAuthenticateAsClient (IAsyncResult asyncResult) <0x2988cb8 + 0x00037> in <filename unknown>:0 
  at System.Net.Security.SslStream.AuthenticateAsClient (System.String targetHost, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation) <0x29825c8 + 0x00050> in <filename unknown>:0 
  at SslCertificateValidationTest.Program.Main (System.String[] args) <0x50fee0 + 0x00153> in <filename unknown>:0 
[ERROR] FATAL UNHANDLED EXCEPTION: System.IO.IOException: The authentication or decryption has failed. ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received from server.
  at Mono.Security.Protocol.Tls.RecordProtocol.EndReceiveRecord (IAsyncResult asyncResult) <0x29af4c8 + 0x000e3> in <filename unknown>:0 
  at Mono.Security.Protocol.Tls.SslClientStream.SafeEndReceiveRecord (IAsyncResult ar, Boolean ignoreEmpty) <0x29af420 + 0x0001f> in <filename unknown>:0 
  at Mono.Security.Protocol.Tls.SslClientStream.NegotiateAsyncWorker (IAsyncResult result) <0x29aae48 + 0x0019b> in <filename unknown>:0 
  --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslClientStream.EndNegotiateHandshake (IAsyncResult result) <0x29cd6c8 + 0x000ab> in <filename unknown>:0 
  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) <0x29cd4d8 + 0x0005f> in <filename unknown>:0 
  --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslStreamBase.EndRead (IAsyncResult asyncResult) <0x2988e28 + 0x00133> in <filename unknown>:0 
  at System.Net.Security.SslStream.EndAuthenticateAsClient (IAsyncResult asyncResult) <0x2988cb8 + 0x00037> in <filename unknown>:0 
  at System.Net.Security.SslStream.AuthenticateAsClient (System.String targetHost, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation) <0x29825c8 + 0x00050> in <filename unknown>:0 
  at SslCertificateValidationTest.Program.Main (System.String[] args) <0x50fee0 + 0x00153> in <filename unknown>:0 


What seems to be happening is that under Mono, in the ValidateRemoteCertificate callback, sslPolicyErrors has a value of SslPolicyErrors.RemoteCertificateNotAvailable whereas when using Microsoft's .NET runtime, it has a value of SslPolicyErrors.None.
Comment 1 Jeffrey Stedfast 2016-01-24 13:53:53 UTC
This is my build of Mono:

[fejj@localhost net45]$ mono --version
Mono JIT compiler version 4.2.1 (explicit/6dd2d0d Fri Nov  6 12:25:19 EST 2015)
Copyright (C) 2002-2014 Novell, Inc, Xamarin Inc and Contributors. www.mono-project.com
	TLS:           normal
	SIGSEGV:       altstack
	Notification:  kqueue
	Architecture:  x86
	Disabled:      none
	Misc:          softdebug 
	LLVM:          yes(3.6.0svn-mono-(detached/a173357)
	GC:            sgen

I'm running on Mac OS X 10.10.5.
Comment 2 Jeffrey Stedfast 2016-01-24 13:56:53 UTC
Created attachment 14702 [details]
ssl-cert-validate.cs

I've attached the test case program for convenience.