Bug 24003 - Unsupported hash algorithm for SSL certificate
Summary: Unsupported hash algorithm for SSL certificate
Alias: None
Product: Class Libraries
Classification: Mono
Component: Mono.Security ()
Version: 3.2.x
Hardware: PC Linux
: --- normal
Target Milestone: Untriaged
Assignee: Bugzilla
Depends on:
Reported: 2014-10-22 18:08 UTC by invulnarable27
Modified: 2014-10-22 19:01 UTC (History)
1 user (show)

Is this bug a regression?: ---
Last known good build:

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.

Please create a new report on GitHub or Developer Community with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:

Description invulnarable27 2014-10-22 18:08:00 UTC
Mono 3.2.8
  -Ran mozroots --import --sync, certmgr -ssl url
OS: Ubuntu 14.04 LTS
Nginx 1.7.4 (sha256RSA 2048 bits) 
Postfix mail_version = 2.11 (sha256RSA 2048 bits) 

C# code to send mail executes (EnableSSL = true;), it throws the following exception

System.Net.Mail.SmtpException: Message could not be sent. ---> System.IO.IOException: The authentication or decryption has failed. ---> System.ArgumentException: certificate ---> System.Security.Cryptography.CryptographicException: Unsupported hash algorithm: 1.2.840.113549.1.1.11
  at Mono.Security.X509.X509Certificate.VerifySignature (System.Security.Cryptography.RSA rsa) [0x00000] in <filename unknown>:0 
  at Mono.Security.X509.X509Certificate.VerifySignature (System.Security.Cryptography.AsymmetricAlgorithm aa) [0x00000] in <filename unknown>:0 
  at System.Security.Cryptography.X509Certificates.X509Chain.IsSignedWith (System.Security.Cryptography.X509Certificates.X509Certificate2 signed, System.Security.Cryptography.AsymmetricAlgorithm pubkey) [0x00000] in <filename unknown>:0 
  at System.Security.Cryptography.X509Certificates.X509Chain.Process (Int32 n) [0x00000] in <filename unknown>:0 
  at System.Security.Cryptography.X509Certificates.X509Chain.ValidateChain (X509ChainStatus

Problem was mentioned in this thread but that was for Mono 2.10: https://bugzilla.xamarin.com/show_bug.cgi?id=8788
Comment 1 invulnarable27 2014-10-22 19:01:49 UTC
Posting here as the solution:

So I dropped my existing Mono.Security.dll (v4.0.0.0 .NET Framework v4.0) into dotNetPeek (free decompiler) and looked at the code.

Drilled down into code tree: Mono.Security => Mono.Security.X509 => X509Certificate => internal bool VerifySignature(RSA rsa)

The VerifySignature() method only has 4 possible signatures, algorithm: 1.2.840.113549.1.1.11 not being one of them.

So I went and downloaded the Mono.Security.dll from the npgsql project on github (Npgsql is the .NET data provider for Postgresql): https://github.com/npgsql/npgsql/tree/master/lib/Mono.Security/4.0

Says its was released 3 months ago ~7/22/2014 with note (Update Mono.Security.dll assembly to Mono version 3.4.0)

Loaded new Mono.Security.dll into dotNetPeek and drilled down: Mono.Security => Mono.Security.X509 => X509Certificate => public virtual byte[] Signature.
Has 10 different signatures and the one I needed (1.2.840.113549.1.1.11) was there.

Delete OLD reference in my project to Mono.Security.dll and emptied bin directory. Add New Reference => Browse => newly downloaded Mono.Security.dll from npgsql github => Clean => Rebuild => Deploy. Sending email works fine now.

Special thanks to the contributors of this project!