Bug 45117 - CERT_E_CN_NO_MATCH using tlstest.exe on a site with a non standard port
Summary: CERT_E_CN_NO_MATCH using tlstest.exe on a site with a non standard port
Status: RESOLVED FIXED
Alias: None
Product: Class Libraries
Classification: Mono
Component: Mono.Security ()
Version: 4.6.0 (C8)
Hardware: PC Linux
: --- normal
Target Milestone: Untriaged
Assignee: Martin Baulig
URL:
Depends on:
Blocks:
 
Reported: 2016-10-06 14:15 UTC by James
Modified: 2017-01-05 20:42 UTC (History)
6 users (show)

Tags:
Is this bug a regression?: Yes
Last known good build:

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on GitHub or Developer Community with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED FIXED

Description James 2016-10-06 14:15:49 UTC
Executing "mono ./tlstest.exe https://qa.4act.com:5151 --web --ssl" using mono 4.6 (Stable 4.6.1.3/abb06f1 Wed Sep 28 13:54:26 UTC 2016) will output "Error #-2146762481: CERT_E_CN_NO_MATCH 0x800B010F."

If I execute the same command using 4.4, it works successfully. If I execute the same command using the same server and same certificates but on a standard port, it works successfully. 

If I use --tls instead of --ssl, I get the same error and a response of 400 bad request. In my apache error log, I see the following error.

[Thu Oct 06 09:12:53.506079 2016] [ssl:error] [pid 28950] AH02032: Hostname qa.4act.com:5151 provided via SNI and hostname qa.4act.com provided via HTTP are different
Comment 1 BlueWall 2016-10-07 17:49:51 UTC
I am having this issue within my development network after upgrading 4.6.0 and beyond. I tried many things with the format of the certs w/o success. Following this information, I tried running on port 443 and it no longer throws the error.

Thanks
Comment 2 Matti Jones 2016-12-22 04:15:09 UTC
I am experiencing this issue as well.

Any attempts to connect to an Apache2 server, using HTTPS (SSL), and the non standard port number (443) Results in the following exception being thrown..

System.Net.WebException: The remote server returned an error: (400) Bad Request.

Apache2 Logs show the following error
AH02032: Hostname weather.mywebserver.com.au:8081 provided via SNI and hostname weather.01solutions.com.au provided via HTTP are different

Problem can be replicated using HttpWebRequest, WebClient, and HttpClient

Here is a dump of the URI used to send the request
AbsolutePath = /xml
AbsoluteUri = https://weather.01solutions.com.au:8081/xml
Authority = weather.01solutions.com.au:8081
DnsSafeHost = weather.01solutions.com.au
Fragment = 
Host = weather.01solutions.com.au
HostNameType = Dns
IsAbsoluteUri = True
IsDefaultPort = False
IsFile = False
IsLoopback = False
IsUnc = False
LocalPath = /xml/users/login
OriginalString = https://weather.01solutions.com.au:8081/xml/users/login
PathAndQuery = /xml/users/login
Port = 8081
Query = 
Scheme = https
Segments = /,xml
UserEscaped = False
UserInfo = 


My thinking is setting the Host name to include the port would fix this issue up.
Comment 3 Alexander Köplinger [MSFT] 2017-01-05 20:42:44 UTC
This was fixed in the recent C8SR2 release (Mono 4.6.2.16):

> $ mono --version
> Mono JIT compiler version 4.6.2 (Stable 4.6.2.16/ac9e222 Tue Jan  3 11:48:26 UTC 2017)
> Copyright (C) 2002-2014 Novell, Inc, Xamarin Inc and Contributors. www.mono-project.com
>       TLS:           __thread
>       SIGSEGV:       altstack
>       Notifications: epoll
>       Architecture:  amd64
>       Disabled:      none
>       Misc:          softdebug
>       LLVM:          supported, not enabled.
>       GC:            sgen

>$ mono tlstest.exe https://qa.4act.com:5151 --web --tls --time
>
> https://qa.4act.com:5151
> Time: 00:00:01.0380230

Work happened as part of #44708