https://bugzilla.novell.com/show_bug.cgi?id=746721
https://bugzilla.novell.com/show_bug.cgi?id=746721#c0 Summary: AuthenticateAsServer does not send full chain of certificates Classification: Mono Product: Mono: Class Libraries Version: 2.10.x Platform: All OS/Version: Linux Status: NEW Severity: Normal Priority: P5 - None Component: System.Security AssignedTo: fr...@suse.com ReportedBy: p.grudzie...@gmail.com QAContact: mono-bugs@lists.ximian.com Found By: --- Blocker: --- Created an attachment (id=475850) --> (http://bugzilla.novell.com/attachment.cgi?id=475850) Simple server with ssl authentication. Requires a valid certificate. User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 When using SSLStream.AutheinticateAsServer on mono 2.10.2 and below mono sends only certificate of server and no issuers certificates. On .net on the other hand sends all certificates included in pcks12 file. Reproducible: Always Steps to Reproduce: 1. Get signed certificate 2. run attached program.cs (creates TcpListener with ssl auth) 3. run openssl s_client -showcerts -connect foo.com:3000 Actual Results: openssl client cannot verify certificate. Sample output of openssl s_client on mono 2.10.2 (linux): CONNECTED(00000003) depth=0 /OU=Domain Control Validated/OU=Hosted by XYZ/OU=PositiveSSL/CN=foo.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /OU=Domain Control Validated/OU=Hosted by XYZ/OU=PositiveSSL/CN=foo.com verify error:num=27:certificate not trusted verify return:1 depth=0 /OU=Domain Control Validated/OU=Hosted by XYZ/OU=PositiveSSL/CN=foo.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=Hosted by XYZ/OU=PositiveSSL/CN=foo.com i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA -----BEGIN CERTIFICATE----- cert0 -----END CERTIFICATE----- --- Server certificate subject=/OU=Domain Control Validated/OU=Hosted by XYZ/OU=PositiveSSL/CN=foo.com issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA --- No client certificate CA names sent --- SSL handshake has read 1506 bytes and written 444 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: Session-ID-ctx: Master-Key: masterkey.... Key-Arg : None Krb5 Principal: None Start Time: 1329139041 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- Expected Results: Sample output on .net (windows). As one can see there is a full chain of certificates: CONNECTED(00000003) depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root verify return:1 depth=2 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware verify return:1 depth=1 /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA verify return:1 depth=0 /OU=Domain Control Validated/OU=Hosted by XYZ/OU=PositiveSSL/CN=foo.com verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=Hosted by XYZ/OU=PositiveSSL/CN=foo.com i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA -----BEGIN CERTIFICATE----- cert0 -----END CERTIFICATE----- 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware -----BEGIN CERTIFICATE----- cert1 -----END CERTIFICATE----- 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root -----BEGIN CERTIFICATE----- cert2 -----END CERTIFICATE----- --- Server certificate subject=/OU=Domain Control Validated/OU=Hosted by XYZ/OU=PositiveSSL/CN=foo.com issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA --- No client certificate CA names sent --- SSL handshake has read 3967 bytes and written 455 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-MD5 Session-ID: sessionID Session-ID-ctx: Master-Key: masterkey... Key-Arg : None Krb5 Principal: None Start Time: 1329160144 Timeout : 300 (sec) Verify return code: 0 (ok) --- -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug. _______________________________________________ mono-bugs maillist - mono-bugs@lists.ximian.com http://lists.ximian.com/mailman/listinfo/mono-bugs
