Bug 42707 - [Feature] Rewrite 'certmgr' tool to use SslStream
Summary: [Feature] Rewrite 'certmgr' tool to use SslStream
Status: ASSIGNED
Alias: None
Product: Class Libraries
Classification: Mono
Component: Mono.Security ()
Version: 4.4.0 (C7)
Hardware: PC Linux
: Normal normal
Target Milestone: Future Release
Assignee: Martin Baulig
URL:
Depends on:
Blocks:
 
Reported: 2016-07-21 11:15 UTC by Pažout
Modified: 2017-09-13 19:22 UTC (History)
5 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report for Bug 42707 on GitHub or Developer Community if you have new information to add and do not yet see a matching new report.

If the latest results still closely match this report, you can use the original description:

  • Export the original title and description: GitHub Markdown or Developer Community HTML
  • Copy the title and description into the new report. Adjust them to be up-to-date if needed.
  • Add your new information.

In special cases on GitHub you might also want the comments: GitHub Markdown with public comments

Related Links:
Status:
ASSIGNED

Description Pažout 2016-07-21 11:15:18 UTC
certmgr -ssl https://www.cosmopolitus.com
Mono Certificate Manager - version 4.4.1.0
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.


Unhandled Exception:
System.IO.IOException: The authentication or decryption has failed. ---> System.IO.IOException: Error while sending TLS Alert (Fatal:InternalError): System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: The authentication or decryption has failed.
Comment 1 Pažout 2016-07-21 11:22:05 UTC
Mono JIT compiler version 4.4.1 (Nightly 4.4.1.0/4747417 Wed Jun 22 11:14:49 UTC 2016)
Copyright (C) 2002-2014 Novell, Inc, Xamarin Inc and Contributors. www.mono-project.com
        TLS:           __thread
        SIGSEGV:       altstack
        Notifications: epoll
        Architecture:  amd64
        Disabled:      none
        Misc:          softdebug
        LLVM:          supported, not enabled.
        GC:            sgen
Comment 2 Rodrigo Kumpera 2016-07-23 00:01:12 UTC
Hey Martin,

This is a bug in the SSL stack. Please take a look when you get the time.
Comment 3 Morten 2016-10-15 23:08:43 UTC
Any workarounds for this ? 
It's very critical for me.
I'm communicating with a SOAP webservice, that recently installed a new certificate, and now we are getting the exact same error.

I tried this, which usually works:
ServicePointManager.ServerCertificateValidationCallback += 					((sender, certificate, chain, sslPolicyErrors) => true);

But strangely this callback is simply ignored, or it is never reached, and the problem persists.
Comment 4 Miguel de Icaza [MSFT] 2017-04-04 14:54:52 UTC
I can reproduce this on MacOS with Mono 5.0.0.41 (2017-02/55a698e)
Comment 5 Miguel de Icaza [MSFT] 2017-04-04 14:58:40 UTC
What I find odd is that the stracktrace contains the old TLS stack, but my machine has the new TLS stack:

Unhandled Exception:
System.IO.IOException: The authentication or decryption has failed. ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: The authentication or decryption has failed.
  at Mono.Security.Protocol.Tls.RecordProtocol.EndReceiveRecord (System.IAsyncResult asyncResult) [0x00037] in <127b13327a484108bc397968b509c439>:0 
  at Mono.Security.Protocol.Tls.SslClientStream.SafeEndReceiveRecord (System.IAsyncResult ar, System.Boolean ignoreEmpty) [0x00000] in <127b13327a484108bc397968b509c439>:0 
  at Mono.Security.Protocol.Tls.SslClientStream.NegotiateAsyncWorker (System.IAsyncResult result) [0x00071] in <127b13327a484108bc397968b509c439>:0 
   --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslClientStream.EndNegotiateHandshake (System.IAsyncResult result) [0x00032] in <127b13327a484108bc397968b509c439>:0 
  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (System.IAsyncResult asyncResult) [0x0000c] in <127b13327a484108bc397968b509c439>:0 
   --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslStreamBase.EndNegotiateHandshake (Mono.Security.Protocol.Tls.SslStreamBase+InternalAsyncResult asyncResult) [0x00022] in <127b13327a484108bc397968b509c439>:0 
  at Mono.Security.Protocol.Tls.SslStreamBase.NegotiateHandshake () [0x0002b] in <127b13327a484108bc397968b509c439>:0 
  at Mono.Security.Protocol.Tls.SslStreamBase.Write (System.Byte[] buffer, System.Int32 offset, System.Int32 count) [0x00064] in <127b13327a484108bc397968b509c439>:0 
  at System.IO.StreamWriter.Flush (System.Boolean flushStream, System.Boolean flushEncoder) [0x0007e] in <b36112eafe0a48c4bdeb716ed555aded>:0 
  at System.IO.StreamWriter.Flush () [0x00006] in <b36112eafe0a48c4bdeb716ed555aded>:0 
  at Mono.Tools.CertificateManager.GetCertificatesFromSslSession (System.String url) [0x00087] in <4f749d90956243218cf42144d717c7f8>:0 
  at Mono.Tools.CertificateManager.Ssl (System.String host, System.Boolean machine, System.Boolean verbose) [0x0001f] in <4f749d90956243218cf42144d717c7f8>:0 
  at Mono.Tools.CertificateManager.Main (System.String[] args) [0x001bf] in <4f749d90956243218cf42144d717c7f8>:0 
[ERROR] FATAL UNHANDLED EXCEPTION: System.IO.IOException: The authentication or decryption has failed. ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: The authentication or decryption has failed.
  at Mono.Security.Protocol.Tls.RecordProtocol.EndReceiveRecord (System.IAsyncResult asyncResult) [0x00037] in <127b13327a484108bc397968b509c439>:0 
  at Mono.Security.Protocol.Tls.SslClientStream.SafeEndReceiveRecord (System.IAsyncResult ar, System.Boolean ignoreEmpty) [0x00000] in <127b13327a484108bc397968b509c439>:0 
  at Mono.Security.Protocol.Tls.SslClientStream.NegotiateAsyncWorker (System.IAsyncResult result) [0x00071] in <127b13327a484108bc397968b509c439>:0 
   --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslClientStream.EndNegotiateHandshake (System.IAsyncResult result) [0x00032] in <127b13327a484108bc397968b509c439>:0 
  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (System.IAsyncResult asyncResult) [0x0000c] in <127b13327a484108bc397968b509c439>:0 
   --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslStreamBase.EndNegotiateHandshake (Mono.Security.Protocol.Tls.SslStreamBase+InternalAsyncResult asyncResult) [0x00022] in <127b13327a484108bc397968b509c439>:0 
  at Mono.Security.Protocol.Tls.SslStreamBase.NegotiateHandshake () [0x0002b] in <127b13327a484108bc397968b509c439>:0 
  at Mono.Security.Protocol.Tls.SslStreamBase.Write (System.Byte[] buffer, System.Int32 offset, System.Int32 count) [0x00064] in <127b13327a484108bc397968b509c439>:0 
  at System.IO.StreamWriter.Flush (System.Boolean flushStream, System.Boolean flushEncoder) [0x0007e] in <b36112eafe0a48c4bdeb716ed555aded>:0 
  at System.IO.StreamWriter.Flush () [0x00006] in <b36112eafe0a48c4bdeb716ed555aded>:0 
  at Mono.Tools.CertificateManager.GetCertificatesFromSslSession (System.String url) [0x00087] in <4f749d90956243218cf42144d717c7f8>:0 
  at Mono.Tools.CertificateManager.Ssl (System.String host, System.Boolean machine, System.Boolean verbose) [0x0001f] in <4f749d90956243218cf42144d717c7f8>:0 
  at Mono.Tools.CertificateManager.Main (System.String[] args) [0x001bf] in <4f749d90956243218cf42144d717c7f8>:0 


I verified I had the new TLS stack like this:

csharp -e 'new System.Net.WebClient ().DownloadString ("https://www.howsmyssl.com/").Contains ("TLS 1.2")'
Comment 6 Martin Baulig 2017-04-04 17:26:50 UTC
That's not a bug, it's a feature.

This code is explicitly using the old stack and there is no "fix" other than "reimplement using the correct APIs".

This tool has other problems as well, btw.

I was planning on giving that some love at some point, just didn't get to it yet.