Bug 42805 - Mono.Security.Protocol.Tls doesn't support particular TLS setup
Summary: Mono.Security.Protocol.Tls doesn't support particular TLS setup
Status: RESOLVED NOT_ON_ROADMAP
Alias: None
Product: Class Libraries
Classification: Mono
Component: Mono.Security ()
Version: master
Hardware: PC Linux
: --- normal
Target Milestone: Untriaged
Assignee: Martin Baulig
URL:
Depends on:
Blocks:
 
Reported: 2016-07-26 14:25 UTC by Łukasz Domeradzki
Modified: 2016-11-15 16:13 UTC (History)
2 users (show)

Tags: tls https ssl
Is this bug a regression?: No
Last known good build:


Attachments
Reproducable test case (809 bytes, text/plain)
2016-07-26 14:25 UTC, Łukasz Domeradzki
Details


Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on GitHub or Developer Community with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED NOT_ON_ROADMAP

Description Łukasz Domeradzki 2016-07-26 14:25:06 UTC
Created attachment 16785 [details]
Reproducable test case

Just a note: this is not a problem with untrusted certificate or TLS in general - TLS seems to work fine with majority of websites I've tried, but with this particular one it doesn't.

I'm not entirely sure why, but I suspect unsupported encryption option or algorithm. I don't want to cause confusion, as I'm not 100% sure, so I leave it up to you to find out.


I attached reproducable test case that can be executed with:
mcs Program.cs /r:System.Net.Http.dll && mono Program.exe

The issue has been tested with up-to-date 4.7.0 (master/6bbd1e3 Tue 26 Jul 15:10:04 CEST 2016)


Output (relevant lines shown):

Exception: Error: SecureChannelFailure (The authentication or decryption has failed.) | Stacktrace:
  at System.Net.HttpWebRequest.EndGetResponse (System.IAsyncResult asyncResult) <0x409ad910 + 0x001ab> in <filename unknown>:0

Inner exception: The authentication or decryption has failed. | Stacktrace:
  at Mono.Security.Protocol.Tls.SslStreamBase.EndRead (System.IAsyncResult asyncResult) <0x409a3610 + 0x00167> in <filename unknown>:0
  at Mono.Net.Security.Private.LegacySslStream.EndAuthenticateAsClient (System.IAsyncResult asyncResult) <0x409a3350 + 0x00056> in <filename unknown>:0

Inner exception: The authentication or decryption has failed. | Stacktrace:
  at Mono.Security.Protocol.Tls.SslClientStream.EndNegotiateHandshake (System.IAsyncResult result) <0x409abc80 + 0x000d3> in <filename unknown>:0

Inner exception: The authentication or decryption has failed. | Stacktrace:
  at Mono.Security.Protocol.Tls.RecordProtocol.EndReceiveRecord (System.IAsyncResult asyncResult) <0x409aae20 + 0x00113> in <filename unknown>:0


Thank you in advance!
Comment 1 Łukasz Domeradzki 2016-08-07 03:26:12 UTC
This is even easier to reproduce with tlstest:

wget https://raw.github.com/mono/mono/master/mcs/class/Mono.Security/Test/tools/tlstest/tlstest.cs
mcs tlstest.cs /r:System.dll /r:Mono.Security.dll
mono tlstest.exe https://en.touhouwiki.net/api.php

I tried everything so far, and I can't establish connection with that site in any way :(.
Comment 2 Łukasz Domeradzki 2016-08-23 03:54:28 UTC
Update: This is caused by Mono not supporting ECDHE / DHE cipher suite. If given server supports only ECDHE / DHE ciphers (and no e.g. RSA ones), Mono will fail to establish connection.

I assume this is going to get fixed with new TLS stack that is being worked on, but I'm leaving this bug report just in case.
Comment 3 Martin Baulig 2016-11-11 09:21:37 UTC
The new AppleTls and BoringTls providers fix this problem.
Comment 4 Łukasz Domeradzki 2016-11-15 16:13:11 UTC
Confirmed, thank you!

root@archi:/tmp/mono# MONO_TLS_PROVIDER=btls mono Program.exe
Got a bad hardware address length for an AF_PACKET 16 8
Got a bad hardware address length for an AF_PACKET 16 8
OK!