Bug 41653 - [AppleTLS] We don't support HTTPS server with virtual domains.
Summary: [AppleTLS] We don't support HTTPS server with virtual domains.
Alias: None
Product: iOS
Classification: Xamarin
Component: Xamarin.iOS.dll ()
Version: XI 9.8 (tvOS / C7)
Hardware: Macintosh Mac OS
: --- major
Target Milestone: C7SR1
Assignee: Martin Baulig
: 41207 ()
Depends on:
Reported: 2016-06-09 12:25 UTC by Erlend Figenschau Lund
Modified: 2016-09-14 16:56 UTC (History)
11 users (show)

Is this bug a regression?: ---
Last known good build:

Sample Xamarin project (45.08 KB, application/zip)
2016-06-09 12:25 UTC, Erlend Figenschau Lund

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.

Please create a new report on Developer Community or GitHub with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:

Description Erlend Figenschau Lund 2016-06-09 12:25:48 UTC
Created attachment 16246 [details]
Sample Xamarin project

Unsure which component that is to blame, however the innermost exception states source is "Xamarin.iOS".

Bug description:
A TlsException is thrown after upgrade to Xamarin Studio 6.0.
The TlsException is thrown when a request is done over HTTPS. 
The same request succeeds on versions before XS 6.0. The exception is only thrown after upgrade.

Steps to reproduce:
A sample project which triggers the exception is attached. The sample is only implemented for iOS. Android does not seem to have the same issue.

1. Start the iOS app
2. Click "Run test"
3. Exception messages are written in the UI

Expected behaviour would be that the result from a HTTP Get request is written to the UI.

The development environment is:
Xamarin Studio Business
Version 6.0 (build 5174)
Installation UUID: 9fd4bd3c-838f-418e-b10b-afadee8f82fd
	Mono 4.4.0 (mono-4.4.0-branch-c7-baseline/5995f74) (64-bit)
	GTK+ 2.24.23 (Raleigh theme)

	Package version: 404000182

Not Installed

Version: (Xamarin Business)
Android SDK: /Users/erlendlund/Library/Developer/Xamarin/android-sdk-macosx
	Supported Android versions:
		2.3   (API level 10)
		4.0.3 (API level 15)
		4.1   (API level 16)
		4.4   (API level 19)
		5.0   (API level 21)
		5.1   (API level 22)
		6.0   (API level 23)

SDK Tools Version: 25.1.3
SDK Platform Tools Version: 23.1
SDK Build Tools Version: 23.0.3

Java SDK: /usr
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)

Android Designer EPL code available here:

Xamarin Android Player
Version: 0.4.4
Location: /Applications/Xamarin Android Player.app

Apple Developer Tools
Xcode 7.3.1 (10188.1)
Build 7D1014

Version: (Xamarin Business)
Hash: 39ebb77
Branch: cycle7
Build date: 2016-06-01 21:23:15-0400

Not Installed

Build Information
Release ID: 600005174
Git revision: 694a75f040b7f2309bc43d4f78a3a6572ca898bf
Build date: 2016-06-01 17:28:08-04
Xamarin addins: 33f406fa2dcf214012c78cb846585f062b2e1d24
Build lane: monodevelop-lion-cycle7-baseline

Operating System
Mac OS X 10.11.5
Darwin SELENE.local 15.5.0 Darwin Kernel Version 15.5.0
    Tue Apr 19 18:36:36 PDT 2016
    root:xnu-3248.50.21~8/RELEASE_X86_64 x86_64

The innermost exception's key data with stack trace is:
- Type: Mono.Security.Interface.TlsException
- Source: "Xamarin.iOS"
- Message: "CertificateUnknown"
- StackTrace:
  at Security.Tls.MobileAuthenticatedStream.ProcessAuthentication (System.Net.LazyAsyncResult lazyResult) [0x00077] in /Users/builder/data/lanes/3339/39ebb778/source/maccore/src/Security/Tls/MobileAuthenticatedStream.cs:206 
  at Security.Tls.MobileAuthenticatedStream.AuthenticateAsClient (System.String targetHost, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation) [0x0000c] in /Users/builder/data/lanes/3339/39ebb778/source/maccore/src/Security/Tls/MobileAuthenticatedStream.cs:114 
  at Mono.Net.Security.Private.MonoSslStreamWrapper.AuthenticateAsClient (System.String targetHost, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation) [0x00000] in /Users/builder/data/lanes/3339/39ebb778/source/maccore/_build/Library/Frameworks/Xamarin.iOS.framework/Versions/git/src/mono/mcs/class/System/Mono.Net.Security/MonoSslStreamWrapper.cs:89 
  at Mono.Net.Security.MonoTlsStream.CreateStream (System.Byte[] buffer) [0x0001e] in /Users/builder/data/lanes/3339/39ebb778/source/maccore/_build/Library/Frameworks/Xamarin.iOS.framework/Versions/git/src/mono/mcs/class/System/Mono.Net.Security/MonoTlsStream.cs:106
Comment 1 Erlend Figenschau Lund 2016-06-10 08:15:28 UTC
A workaround is to downgrade mono to 4.2.4.
The error is therefore most probably in the mono framework 4.4.0.

For the Mono downgrade I downloaded "MonoFramework-MDK-" from http://download.mono-project.com/archive/4.2.4/macos-10-x86/ and ran the installer.

Check mono version from a terminal console:
mono --version

Prior to the downgrade, my mono was 4.4.0. 
After downgrade my mono version is 4.2.4.

It is currently unknown in which mono version the bug was introduced, which must be somewhere between 4.2.4 and 4.4.0.

A duplicate bug report has been found here https://bugzilla.xamarin.com/show_bug.cgi?id=41207
Comment 2 Ivan 2016-06-13 13:37:35 UTC
The problem is, that Xamarin 6.0 is not working with mono < 4.3. So, no way to overcome 4.4 issue.

Alpha branch build didn't solve the problem
Comment 3 Erlend Figenschau Lund 2016-06-13 13:40:11 UTC
To run with XS 6.0 I had to install Mono 4.3.2 - http://download.mono-project.com/archive/4.3.2/macos-10-universal/

I also have the downgrade version of Xamarin.iOS 9.6.2, but it is not known if this is necessary.
Comment 4 Ivan 2016-06-13 14:09:27 UTC
Unfortunately it didn't help :(
Comment 5 Ivan 2016-06-13 14:15:04 UTC
Disregard my previous comment, it works after rebuild!
Comment 6 Paul DiPietro [MSFT] 2016-06-13 16:13:05 UTC
*** Bug 41207 has been marked as a duplicate of this bug. ***
Comment 7 Sebastien Pouliot 2016-06-21 13:37:42 UTC
This works fine with the old MonoTLS but fails with AppleTLS, even with SR0.

The weird thing is that both are delegating the certificate checks to iOS (Apple code) so this should gets identical result.

Workaround: change your project options (iOS Build) to use "Mono (TLS v1.0)". This is the same code that shipped with earlier versions of XI.
Comment 8 Martin Baulig 2016-06-21 17:08:01 UTC
Very interesting test case.  This actually isn't a certificate validation issue at all - the certificate validator rightfully rejects the certificate that's given to it.

The problem is that this server is using virtual domains and we don't call SSLSetPeerDomainName() prior to starting the handshake.  Without that, the server assumes a request to the general azure home page and it replies with this certificate:

        Version: 3 (0x2)
        Serial Number:
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT SSL SHA2
            Not Before: Jan 12 20:55:27 2015 GMT
            Not After : Jan 11 20:55:27 2017 GMT
        Subject: CN=*.azurewebsites.net


            X509v3 Subject Key Identifier: 
            X509v3 Subject Alternative Name: 
                DNS:*.azurewebsites.net, DNS:*.scm.azurewebsites.net, DNS:*.azure-mobile.net, DNS:*.scm.azure-mobile.net
            X509v3 Authority Key Identifier: 

You can verify this by doing

$ openssl s_client -connect tlstest.esmartapi.com:443 -showcerts

then copy & paste the first certificate into a text file and do

$ openssl x509 -in test.cert -text 

It shouldn't be too difficult to add that SSLSetPeerDomainName() call, so we should have a hotfix shortly and also consider this for SR0.
Comment 9 Martin Baulig 2016-06-21 17:12:16 UTC
This is likely going to affect everybody who's using Azure or another HTTPS server with virtual domains.
Comment 11 Sebastien Pouliot 2016-07-06 19:36:58 UTC
Merged https://github.com/xamarin/maccore/pull/525
Comment 12 Arpit Jha 2016-07-07 09:55:05 UTC
Reproduce Status : Reproduced
I have checked this issue with stable XI (Xamarin Enterprise) Hash: 3cf8aae and observed that getting an certification error 'Error: TrustFailure (CertificateUnknown)' on clicked button 'Run Test'
Screencast : http://www.screencast.com/t/BO1P4lUY

Verify Status : Verified
I have checked this issue with C7 build xamarin.ios 641627f2ea75eb27b01212b0c80cb and observed that not getting any error on 'Run Tests' button clicked.
Screencast : http://www.screencast.com/t/2Z4sLAqYmdY

Env Info: https://gist.github.com/Arpit360/a70423701a7f4d0788d0bd2c0a676486
Comment 13 Thibault Durand 2016-09-12 12:23:08 UTC
In which version(s) of Mono is the supposed to be fixed? 

I'm getting this error with Cycle 8 of Xamarin.iOS (Mono 4.6.0) and an Azure backend (WebApp behind a Traffic Manager) with custom domain and SSL/TLS certificate.
Comment 14 Brendan Zagaeski (Xamarin Team, assistant) 2016-09-12 19:44:47 UTC
@Thibault, thanks for the report.  This does appear to have regressed in the current Cycle 8 builds.  I have filed that re-breakage under a new Bug 44225.

(If you find any more like this, please do file brief new bug reports for them to ensure they are reviewed and investigated properly.  Comments on "verified fixed" bugs aren't as visible to the engineering team for prioritization as new bug reports.  Thanks much!)