Bug 46655 - HttpClient with Legacy TLS: server aborts handshake without SNI
Summary: HttpClient with Legacy TLS: server aborts handshake without SNI
Status: RESOLVED FEATURE
Alias: None
Product: Android
Classification: Xamarin
Component: Mono runtime / AOT Compiler ()
Version: 7.1 (C9)
Hardware: PC Windows
: --- normal
Target Milestone: ---
Assignee: Martin Baulig
URL:
Depends on:
Blocks:
 
Reported: 2016-11-09 18:35 UTC by juliotec2
Modified: 2016-11-11 11:57 UTC (History)
1 user (show)

Tags: XATriaged
Is this bug a regression?: ---
Last known good build:

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on Developer Community or GitHub with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED FEATURE

Description juliotec2 2016-11-09 18:35:03 UTC
A error show when use HTTPS in the HttpREsponseMesssage, in Bug 44708 says that it was fixed, but is not. 

Im using

Xamarin.VS updated to 4.2.0.703
Xamarin.iOS updated to 10.0.1.10
Xamarin.Android updated to 7.0.1.3
Xamarin.Mac updated to 2.10.0.105
Mono Framework updated to 4.6.1.5

Use this code and you will get the error, https://kickass.cd server throw the error, but if I use another handler like NativeMessageHandler the error dont show.


public static async Task<HttpResponseMessage> Test()
{
    var httpClient = new HttpClient(new HttpClientHandler());
    HttpResponseMessage response = null;

    try
    {
        response = await httpClient.SendAsync(new HttpRequestMessage(HttpMethod.Get, @"https://kickass.cd"));
    }
    catch (Exception ex)
    {

    }

    return response;
}


Error show:

System.Net.WebException: Error: SecureChannelFailure (The authentication or decryption has failed.) ---> System.IO.IOException: The authentication or decryption has failed. ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: The authentication or decryption has failed.
  at Mono.Security.Protocol.Tls.RecordProtocol.EndReceiveRecord (System.IAsyncResult asyncResult) [0x0003a] in /Users/builder/data/lanes/3819/96c7ba6c/source/mono/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/RecordProtocol.cs:430 
  at Mono.Security.Protocol.Tls.SslClientStream.SafeEndReceiveRecord (System.IAsyncResult ar, System.Boolean ignoreEmpty) [0x00000] in /Users/builder/data/lanes/3819/96c7ba6c/source/mono/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslClientStream.cs:256 
  at Mono.Security.Protocol.Tls.SslClientStream.NegotiateAsyncWorker (System.IAsyncResult result) [0x00071] in /Users/builder/data/lanes/3819/96c7ba6c/source/mono/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslClientStream.cs:418 
   --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslClientStream.EndNegotiateHandshake (System.IAsyncResult result) [0x00035] in /Users/builder/data/lanes/3819/96c7ba6c/source/mono/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslClientStream.cs:396 
  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (System.IAsyncResult asyncResult) [0x0000c] in /Users/builder/data/lanes/3819/96c7ba6c/source/mono/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslStreamBase.cs:101 
   --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslStreamBase.EndRead (System.IAsyncResult asyncResult) [0x00051] in /Users/builder/data/lanes/3819/96c7ba6c/source/mono/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslStreamBase.cs:883 
  at Mono.Net.Security.Private.LegacySslStream.EndAuthenticateAsClient (System.IAsyncResult asyncResult) [0x00011] in /Users/builder/data/lanes/3819/96c7ba6c/source/mono/mcs/class/System/Mono.Net.Security/LegacySslStream.cs:475 
  at Mono.Net.Security.Private.LegacySslStream.AuthenticateAsClient (System.String targetHost, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x00000] in /Users/builder/data/lanes/3819/96c7ba6c/source/mono/mcs/class/System/Mono.Net.Security/LegacySslStream.cs:445 
  at Mono.Net.Security.MonoTlsStream.CreateStream (System.Byte[] buffer) [0x0001e] in /Users/builder/data/lanes/3819/96c7ba6c/source/mono/mcs/class/System/Mono.Net.Security/MonoTlsStream.cs:99 
   --- End of inner exception stack trace ---
  at System.Net.HttpWebRequest.EndGetResponse (System.IAsyncResult asyncResult) [0x0005e] in /Users/builder/data/lanes/3819/96c7ba6c/source/mono/mcs/class/System/System.Net/HttpWebRequest.cs:1023 
  at System.Threading.Tasks.TaskFactory`1[TResult].FromAsyncCoreLogic (System.IAsyncResult iar, System.Func`2[T,TResult] endFunction, System.Action`1[T] endAction, System.Threading.Tasks.Task`1[TResult] promise, System.Boolean requiresSynchronization) [0x00014] in /Users/builder/data/lanes/3819/96c7ba6c/source/mono/mcs/class/referencesource/mscorlib/system/threading/Tasks/FutureFactory.cs:550 
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in /Users/builder/data/lanes/3819/96c7ba6c/source/mono/mcs/class/referencesource/mscorlib/system/runtime/exceptionservices/exceptionservicescommon.cs:143 
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x00047] in /Users/builder/data/lanes/3819/96c7ba6c/source/mono/mcs/class/referencesource/mscorlib/system/runtime/compilerservices/TaskAwaiter.cs:187 
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x0002e] in /Users/builder/data/lanes/3819/96c7ba6c/source/mono/mcs/class/referencesource/mscorlib/system/runtime/compilerservices/TaskAwaiter.cs:156 
  at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x0000b] in /Users/builder/data/lanes/38
Comment 1 Martin Baulig 2016-11-11 11:56:04 UTC
The problem is that this server aborts the handshake when the ClientHello does not include the Server Name Indication (SNI).

Try this:

====
$ openssl s_client -connect kickass.cd:443
CONNECTED(00000003)
140736633877512:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:770:
====

It works fine when passing the SNI:

$ openssl s_client -connect kickass.cd:443 -servername kickass.cd

and it would even support TLS 1.0:

$ openssl s_client -connect kickass.cd:443 -servername kickass.cd -tls1

We do not support this in the Legacy TLS provider.

However, I have just confirmed that this works with with AppleTls and BTLS.
Comment 2 Martin Baulig 2016-11-11 11:57:14 UTC
The new boringssl-based TLS provider which we're going to ship as a preview in Cycle 9 fixes this.