Bug 40774 - SSL connections exception on iOS with latest Cycle7 Release.
Summary: SSL connections exception on iOS with latest Cycle7 Release.
Status: VERIFIED FIXED
Alias: None
Product: iOS
Classification: Xamarin
Component: BCL Class Libraries ()
Version: XI 9.8 (tvOS / C7)
Hardware: Macintosh Mac OS
: Normal normal
Target Milestone: (C7)
Assignee: Sebastien Pouliot
URL:
Depends on:
Blocks:
 
Reported: 2016-04-29 07:37 UTC by Tim Brand
Modified: 2016-05-05 19:11 UTC (History)
7 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:


Attachments
Project to reproduce the issue (12.20 KB, application/zip)
2016-04-29 07:39 UTC, Tim Brand
Details
Environment Details and Build Log (116.06 KB, text/plain)
2016-05-03 01:58 UTC, Ken Pespisa
Details


Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on Developer Community or GitHub with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
VERIFIED FIXED

Description Tim Brand 2016-04-29 07:37:46 UTC
# Steps to reproduce
- Create a new iOS project
- Include reference: System.Net.Http
- Include the following code into a new iOS project:
    var client = new System.Net.Http.HttpClient ();
    var response = await client.GetAsync ("https://httpbin.org/get");
    var content = await response.Content.ReadAsStringAsync ();
- Run. It will thown an exception;

# Expected behavior
It should normally getting a result from https://httpbin.org/get

# Actual behavior
It will throw an exception: 
Error: SecureChannelFailure (The authentication or decryption has failed.)

# Supplemental info (logs, images, videos)


# Test environment (full version information)
=== Xamarin Studio Community ===

Version 6.0 (build 5104)
Installation UUID: 2b2970d8-c60a-4b90-83a6-12b199cdfa90
Runtime:
	Mono 4.4.0 (mono-4.4.0-branch/81f38a9) (64-bit)
	GTK+ 2.24.23 (Raleigh theme)

	Package version: 404000142

=== Xamarin.Profiler ===

Not Installed

=== Apple Developer Tools ===

Xcode 7.3 (10183.3)
Build 7D175

=== Xamarin.iOS ===

Version: 9.8.0.294 (Xamarin Studio Community)
Hash: 6950f7b
Branch: cycle7
Build date: 2016-04-24 15:35:14-0400

=== Xamarin.Mac ===

Not Installed

=== Xamarin.Android ===

Version: 6.1.0.48 (Xamarin Studio Community)
Android SDK: /Users/tim/Library/Developer/Xamarin/android-sdk-macosx
	Supported Android versions:
		2.3   (API level 10)
		4.0.3 (API level 15)
		4.4   (API level 19)
		5.0   (API level 21)
		5.1   (API level 22)
		6.0   (API level 23)

SDK Tools Version: 25.1.1
SDK Platform Tools Version: 23.1
SDK Build Tools Version: 23.0.2

Java SDK: /usr
java version "1.7.0_71"
Java(TM) SE Runtime Environment (build 1.7.0_71-b14)
Java HotSpot(TM) 64-Bit Server VM (build 24.71-b01, mixed mode)

Android Designer EPL code available here:
https://github.com/xamarin/AndroidDesigner.EPL

=== Xamarin Android Player ===

Version: 0.6.5
Location: /Applications/Xamarin Android Player.app

=== Xamarin Inspector ===

Version: 0.8.0.0
Hash: dc081aa
Branch: master
Build date: Tue Apr 26 23:07:44 UTC 2016

=== Build Information ===

Release ID: 600005104
Git revision: 1345d355d4f1b9677d91e1290a6034e2047bdf36
Build date: 2016-04-26 12:21:45-04
Xamarin addins: 7d85147c75b6dbb4b351906636ef76fdf60307c2
Build lane: monodevelop-lion-cycle7

=== Operating System ===

Mac OS X 10.11.4
Darwin plumberx.local 15.4.0 Darwin Kernel Version 15.4.0
    Fri Feb 26 22:08:05 PST 2016
    root:xnu-3248.40.184~3/RELEASE_X86_64 x86_64

=== Enabled user installed addins ===

Xamarin Inspector 0.8.0.0
Comment 1 Tim Brand 2016-04-29 07:39:22 UTC
Created attachment 15868 [details]
Project to reproduce the issue
Comment 2 Sebastien Pouliot 2016-05-01 15:03:14 UTC
This is normal. The default, managed SSL/TLS stack only supports SSLv3/TLSv1 and the web site you're trying to access does not support it*. There's not plan to add support for them on the managed implementation as we now offer better, native alternatives.

* it does accept TLSv1 but not with any of the cipher suites that Mono supports.


To use newer TLS versions (1.2 and 1.3) you need to either use a native HttpClientHandler (e.g. CFNetwork and NSUrlSession based) or use the AppleTLS implementation.

Both options (handlers and TLS stack) are available in your project options and makes your attached sample works properly.

For performance reason (and smaller executable size) I suggest you use the NSUrlSession handler.
Comment 3 Tim Brand 2016-05-01 18:11:20 UTC
Actually, this is not entirely true. It hasn't been 'normal' behavior before Cylcle7.
The url I've provided in the demo is just an https-url I was able to reproduce the error.
My API-backend with SSL has always been working before Cycle7, even the apps that are build with Cycle6 still work on the same backend. 
When I now build the exact same app with Cycle7, I'm having these SSL errors.
So something has been changed which results in this blocking error.

On stackoverflow, someone else is having this issue also now:
http://stackoverflow.com/questions/36931588/x-ios-cycle7-seems-to-break-ssl


I've already tried the native alternatives. They almost work, except for uploading a file (image in my case). Then it will result in an SSL error too (different exception message).
So that's no solution for this problem.

Please take a really good look at this. Currently I'm unable to build a new version of my app. I prevent to go back to the Stable channel. And to be honest, If this issue isn't fixed before Stable release, I'll have the issue then.
Comment 4 Tim Brand 2016-05-01 19:10:19 UTC
To confirm I just went back to the stable channel.
Then I replaced the url from the project with 'https://google.com'. It went fine, no errors and it just received the source of the site.

Then I switched the channel to Beta again.
I completely cleaned the project (also manually) and rebuild it. I still have the same url I just tested successfully ('https://web.klasbord.nl'), but this time it results in the exception.

This means I can definitely confirm that this is behaviour wasn't there before. At least until the Cycle6 I've never had these problems.
Comment 5 Tim Brand 2016-05-01 19:29:19 UTC
(Sorry for sending another separated reply)

It's getting more 'complicated'.
I just switched to the alpha-channel, to test it there. I expected the same behaviour as on the Beta-channel. 
As a surprise it's working fine again on the Alpha-channel (using url 'https://google.com'). Which means that there's something wrong only in the beta-channel.


=================
Version info of my alpha-channel test:
-----------------
=== Xamarin Studio Community ===

Version 6.1 (build 817)
Installation UUID: 2b2970d8-c60a-4b90-83a6-12b199cdfa90
Runtime:
	Mono 4.4.0 (mono-4.4.0-branch/fcf7a6d) (64-bit)
	GTK+ 2.24.23 (Raleigh theme)

	Package version: 404000148

=== NuGet ===

Version: 3.3.0.0

=== Xamarin.Profiler ===

Not Installed

=== Apple Developer Tools ===

Xcode 7.3 (10183.3)
Build 7D175

=== Xamarin.Android ===

Version: 6.1.99.224 (Xamarin Studio Community)
Android SDK: /Users/tim/Library/Developer/Xamarin/android-sdk-macosx
	Supported Android versions:
		2.3   (API level 10)
		4.0.3 (API level 15)
		4.4   (API level 19)
		5.0   (API level 21)
		5.1   (API level 22)
		6.0   (API level 23)

SDK Tools Version: 25.1.1
SDK Platform Tools Version: 23.1
SDK Build Tools Version: 23.0.2

Java SDK: /usr
java version "1.7.0_71"
Java(TM) SE Runtime Environment (build 1.7.0_71-b14)
Java HotSpot(TM) 64-Bit Server VM (build 24.71-b01, mixed mode)

Android Designer EPL code available here:
https://github.com/xamarin/AndroidDesigner.EPL

=== Xamarin Android Player ===

Version: 0.6.5
Location: /Applications/Xamarin Android Player.app

=== Xamarin.Mac ===

Not Installed

=== Xamarin.iOS ===

Version: 9.9.0.719 (Xamarin Studio Community)
Hash: 3afb4af
Branch: master
Build date: 2016-04-24 15:13:41-0400

=== Xamarin Inspector ===

Version: 0.8.0.0
Hash: dc081aa
Branch: master
Build date: Tue Apr 26 23:07:44 UTC 2016

=== Build Information ===

Release ID: 601000817
Git revision: 2335763551f9db8296b08542035977b899b7f3b7
Build date: 2016-04-25 10:45:36-04
Xamarin addins: 7f8c9ab2a981143a87fbd5adbde3f5890a838fde
Build lane: monodevelop-lion-cycle8-preview

=== Operating System ===

Mac OS X 10.11.4
Darwin plumberx.local 15.4.0 Darwin Kernel Version 15.4.0
    Fri Feb 26 22:08:05 PST 2016
    root:xnu-3248.40.184~3/RELEASE_X86_64 x86_64

=== Enabled user installed addins ===

Addin Maker 1.3.1
Xamarin Inspector 0.8.0.0
Manifest.addin 0.0.0.0
Comment 6 Sebastien Pouliot 2016-05-02 13:15:12 UTC
@Gouri could you please confirm this with the C7 RC (as released) and with the latest C7 build ? thanks!

@Martin, you might have missed a back port for `cycle7` branch.
Comment 8 Sebastien Pouliot 2016-05-02 20:16:05 UTC
@Tim, our QA could not reproduce the issue locally using `https://web.klasbord.nl`, i.e. it works in all cases. That's the expected results as, based on SSL Labs results, this server offers cipher suites supported by Mono.

Also the reason for `https://httpbin.org/get` to fail is clear - the server is not using any cipher suite that Mono supports (i.e. only DH and DHE variants). You need AppleTLS or a native handler for that (and other) server to work properly.


That does not mean there's no issue, by design most SSL/TLS failures looks very alike, but there's likely a missing piece of information that would allow us to duplicate the issue.

Can you:

* confirm to us that `https://web.klasbord.nl` is the URL you used (on C6 stable, C7 beta and the C8 preview) ?

* which version(s) of iOS was used, and if you tried on simulator and/or devices ?

Thanks!
Comment 9 Tim Brand 2016-05-02 22:18:01 UTC
Did some more research.
(Don't know exactly why I haven't tested this further on a real iOS device before, but maybe because it's a really long time ago I've experienced differences between the simulator and a real device.)

The real device (iPhone6s & iPhone5s) works fine in both debug and release build.
Also, a release build on the simulator did work fine. (I added an alertview to see the result as the debugger of course won't break in release build)

I found out that it's related to the Linker behavior.
When setting the linker behavior to "Don't Link", it throws the exception.
When changing the linker to "Link Framework SDKs Only" it will work fine.

So, the right combination to get the exception is:
- Use the current beta-channel;
- Use the debug or release configuration with Linker behaviour set to "Don't Link";
- Use iOS simulator (iOS 9.3) (tested multiple simulator devices but all the same behavior);
- It doesn't matter which HTTPS-URL you use. You could also use https://google.com, it fails too;

I'm (partially) glad that I know it's working with the correct Linker setting. But still it's an issue ;)

Hope this information helps!
Thanks!
Comment 11 Sebastien Pouliot 2016-05-03 00:51:08 UTC
QA still cannot reproduce (and neither can I) with:

* XI 9.8.0.294, that's our beta channel release;
* the iOS 9.3 simulator;
* project set to "Don't link" (verified, but default for simulator projects);
* your attached project; and 
* using `https://google.com`

The above works as expected. 

> Also, a release build on the simulator did work fine.

There's nothing that should differ from a release build (with worked for you ?) and a debug build that could cause such issue.

You might have something custom/modified/corrupted on your computer or there's something else missing in the recipe to reproduce the issue.

Please try:

1. resetting your simulator and doing "Clean" before re-building (and re-deploying) your application to the simulator;

2. Turn off the "Enable incremental builds" in case there's some build caching issue affecting the outcome;

3. At last add "-v -v -v -v" to your "Additional mtouch arguments" and attach the full build log to the bug report.
Comment 12 Ken Pespisa 2016-05-03 01:58:16 UTC
Created attachment 15880 [details]
Environment Details and Build Log

I'm seeing this issue too with the attached project attempting connecting to https://google.com.

The exception is: {System.Net.WebException: Error: SecureChannelFailure (The authentication or decryption has failed.) …}	System.Net.WebException

I've attached my environment details and the build log.
Comment 13 Sebastien Pouliot 2016-05-03 02:11:12 UTC
@Ken, interesting!

> Xamarin Inspector Integration
>	Enabled for project: yes

We might have an issue with the inspector swapping assemblies. Could you try the suggested fix:

>	If unexpected behavior arises in your application, Inspector support
>	can be disabled globally from the Xamarin Studio Add-in Manager, or 
>	disabled for this project.
>
>	More info: https://developer.xamarin.com/guides/cross-platform/inspector

and let us know if that fixes it ?

@Oleg (or @Gouri) did you try with the inspector enabled ? I did not.
Comment 14 Ken Pespisa 2016-05-03 02:25:48 UTC
Yes, that is it!

I disabled the inspector via the Add-Ins dialog, and then ran the project. The exception did not occur. 

I then re-enabled the inspector, re-ran the project, and saw the exception again.
Comment 15 Oleg Demchenko 2016-05-03 02:31:29 UTC
@Sebastien, I performed tests with inspector disabled and it seems to be a problem.
Comment 16 Tim Brand 2016-05-03 07:14:05 UTC
I can confirm this too. Disabling the Inspector will avoid the exception.

Thanks!
Comment 17 Sebastien Pouliot 2016-05-03 16:19:07 UTC
Thanks for confirming this :-)
Comment 18 Sebastien Pouliot 2016-05-03 21:24:47 UTC
Fixed in maccore/cycle7 727d6d90d0d8a646df50e07b7b7cd69cf580cc00

xamarin-macios/master does not need this fix since mono-extensions is now merged into mono and the issue was solved, indirectly and differently, in bug #40625

Again thanks for all the help to figure this out!
Comment 19 Oleg Demchenko 2016-05-05 19:11:33 UTC
Verified with XI 9.8.0.307. Sample app works fine with Inspector both enabled and disabled.