Bug 59914 - Installed Root certificate breaks HttpClientHandler SSL in iOS 11
Summary: Installed Root certificate breaks HttpClientHandler SSL in iOS 11
Status: VERIFIED DUPLICATE of bug 58411
Alias: None
Product: iOS
Classification: Xamarin
Component: BCL Class Libraries ()
Version: XI 11.0 (xcode9)
Hardware: Macintosh Mac OS
: --- normal
Target Milestone: Untriaged
Assignee: Bugzilla
Depends on:
Reported: 2017-10-03 13:01 UTC by Hugo Logmans
Modified: 2017-10-05 20:37 UTC (History)
4 users (show)

Tags: X509Certificate TrustFailure Root Certificate
Is this bug a regression?: ---
Last known good build:

Test project showing the problem + root certificate to be installed (18.58 KB, application/zip)
2017-10-03 13:01 UTC, Hugo Logmans

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.

Please create a new report on Developer Community or GitHub with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:

Description Hugo Logmans 2017-10-03 13:01:14 UTC
Created attachment 25068 [details]
Test project showing the problem + root certificate to be installed

Since iOS 11, when I do a call using HttpClientHandler for a site which has a local root certificate installed, it fails verifying the chain. Using NSUrlSessionHandler, all is fine.

Example code:
    var netResultMessage = await (new HttpClient(new HttpClientHandler())).GetAsync("https://www.op-bezoek.nl/favicon.ico");
    var nativeResultMessage = await (new HttpClient(new NSUrlSessionHandler())).GetAsync("https://www.op-bezoek.nl/favicon.ico");

    an TrustFailure exception on the first line.

    both calls succeed.

- iOS 11 (earlier versions work fine, device only)
- the Comodo root certificate (that is part of the certificate chain of the website) is manually installed (airdrop it to the iPhone and install it).

Some additional info:
- I need to use the Managed stack because I have some SOAP calls in my application.
- This is a simplified example for a managed device.
- I have a modified client handler (partially based on ModernHttpClient) that does not have this problem. So it seems to have to do with the way the HttpClientHandler connects to the SSL session native component.
- The installed certificate interferes only with the server for which the chain is based on that root certificate.

Version info:
Visual Studio Enterprise 2017 for Mac
Version 7.1.5 (build 2)
Installation UUID: xxxxxxxxxxxxxxx
	Mono (d15-3/14f2c81) (64-bit)
	GTK+ 2.24.23 (Raleigh theme)

	Package version: 502000224


.NET Core
Runtime: /usr/local/share/dotnet/dotnet
Runtime Versions:
SDK: /usr/local/share/dotnet/sdk/1.0.3/Sdks
SDK Versions:
MSBuild SDKs: /Library/Frameworks/Mono.framework/Versions/5.2.0/lib/mono/msbuild/15.0/bin/Sdks

Version: 1.5.5
Location: /Applications/Xamarin Profiler.app/Contents/MacOS/Xamarin Profiler

Apple Developer Tools
Xcode 9.0 (13247)
Build 9A235

Version: (Visual Studio Enterprise)

Version: (Visual Studio Enterprise)
Hash: 152b654a
Branch: xcode9
Build date: 2017-09-15 02:25:56-0400

Version: (Visual Studio Enterprise)
Android SDK: /Users/hlogmans/Library/Developer/Xamarin/android-sdk-macosx
	Supported Android versions:
		4.4 (API level 19)
		5.0 (API level 21)
		6.0 (API level 23)
		7.0 (API level 24)
		7.1 (API level 25)

SDK Tools Version: 26.0.2
SDK Platform Tools Version: 25.0.6
SDK Build Tools Version: 25.0.1

Java SDK: /usr
java version "1.8.0_111"
Java(TM) SE Runtime Environment (build 1.8.0_111-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.111-b14, mixed mode)

Android Designer EPL code available here:

Xamarin Inspector
Version: 1.3.1
Hash: cbc48dd
Branch: 1.3-release
Build date: Thu, 21 Sep 2017 19:52:53 GMT
Client compatibility: 1

Build Information
Release ID: 701050002
Git revision: 7afedcaef8e7542e70e3cf8f9bdb26938b8c0876
Build date: 2017-09-15 08:39:58-04
Xamarin addins: 3262aadf811a18c12eac6742532d052b0139a808
Build lane: monodevelop-lion-d15-3-xcode9

Operating System
Mac OS X 10.12.6
Darwin 16.7.0 Darwin Kernel Version 16.7.0
    Thu Jun 15 17:36:27 PDT 2017
    root:xnu-3789.70.16~2/RELEASE_X86_64 x86_64

Enabled user installed addins
Redth's Addins 1.0.9
Comment 1 Vincent Dondain [MSFT] 2017-10-03 18:32:13 UTC

I can confirm I could reproduce this bug on an iOS 11 device (works fine on iOS 10) with the following environment: https://gist.github.com/VincentDondain/ca29ae37b4192a126fb510e4f907c837 (also tried with XI and it failed too.

To repro you indeed need to install the Comodo root certificate (airdrop it to the iPhone and install it).

On iOS 11 I'm getting this output on screen:

Natrive: True
Managed: Error: TrustFailure (CertificateUnknown)
Comment 2 Vincent Dondain [MSFT] 2017-10-03 18:34:34 UTC
Both bugs are using the same `Comodo` certificate and it's been noted that it works on iOS 10 but not iOS 11 too (https://bugzilla.xamarin.com/show_bug.cgi?id=58411#c5).

*** This bug has been marked as a duplicate of bug 58411 ***
Comment 3 GouriKumari 2017-10-05 20:34:46 UTC
Installed comodo certificate in iPhone with iOS 11 and reproduced the issue with XI (d15-4 beta build).

Verified fix with XI I am not getting any trust failure (certificate unknown) error on the same environment with fix. 

## Logs:
Build log: 

## Test Env:
XI (Success)
XI (Failed)