Bug 46602

Summary: MobileAuthenticatedStream.AuthenticateAsServer() via EndPointListener
Product: [Mono] Class Libraries Reporter: Guerry Semones <guerry>
Component: Mono.SecurityAssignee: Martin Baulig <martin.baulig>
Status: IN_PROGRESS ---    
Severity: normal CC: alkpli, guerry, masafa, mono-bugs+mono, RustyT21, ShannonRichard
Priority: ---    
Version: 4.8.0 (C9)   
Target Milestone: Untriaged   
Hardware: Macintosh   
OS: Mac OS   
Tags: Is this bug a regression?: ---
Last known good build:
Attachments: Sample Mac/Win console app that shows bug on Mac and works on Win

Description Guerry Semones 2016-11-08 18:06:39 UTC
Created attachment 18382 [details]
Sample Mac/Win console app that shows bug on Mac and works on Win

We have a service that we run as a console app on OS X, and a service on Windows. The service is using OWIN and SignalR. The app binds an SSL certificate to port 3362 for secure communication. A client talks via HTTPS and WebSockets to that port.

When the service runs on Windows, everything works fine. We are running using .NET 4.6 and using the default TLS.

When the service runs on OS X (v10.11.5 El Capitan) on BoringTLS, we get a null pointer exception (listed below). 

On Mac, we are running under Mono 4.9 (trunk?) built from github using BoringTLS.

We are using LetsEncrypt certificates.

Mono JIT compiler version 4.9.0 (master/9488647 Wed Nov  2 15:34:44 CDT 2016)
Copyright (C) 2002-2014 Novell, Inc, Xamarin Inc and Contributors. www.mono-project.com
	TLS:           normal
	SIGSEGV:       altstack
	Notification:  kqueue
	Architecture:  x86
	Disabled:      none
	Misc:          softdebug
	LLVM:          supported, not enabled.
	GC:            sgen (concurrent by default)

Mono runtime version: 4.9.0 (master/9488647 Wed Nov  2 15:34:44 CDT 2016)
TLS Provider: Mono.Btls.MonoBtlsProvider

I have attached a Mac/Win solution that demonstrates the problem. I made it as simple as I could, but still using OWIN and SignalR as I know that is the configuration that shows the bug. The app includes a test LetsEncrypt.org certificate. The included P12 includes the LetsEncrypt CA cert and our test cert. It does not include the IdentTrust/DST ROOT certificate. We have also tested adding that to the P12, but get the same exception.

On Mac, build the project by switching to the top level directory and:
1. nuget restore CertTest.Mac.sln
2. xbuild CertTest.Mac.sln
3. cd CertTest.Mac/bin/Debug (run from here so that app finds the certificate)
4. mono ./CertTest.Mac.exe
   4.1 app should run using BTLS, and you will see the certificate loading and being bound to port 3362.
5. In a browser, visit the following link to the service and load the list of available SignalR hubs. We have test.edna-direct.com resolving to the loopback address.  The link: https://test.edna-direct.com:3362/signalr/hubs
6. The service should crash with the null pointer exception.

On Windows, open the CertTest.Win.sln solution in Visual Studio 2015 and:
1. Manage nuget packages and do a restore of all the missing packages.
2. Build the solution.
3. Run the app in Debug mode.
4. The app should run using the default TLS.
5. In a browser, visit the following link to the service and load the list of available SignalR hubs. We have test.edna-direct.com resolving to the loopback address.  The link: https://test.edna-direct.com:3362/signalr/hubs
6. The included certificate is a test certificate, and so you will need to tell the browser to trust it.
7. The browser will display the SignalR hubs provided by the service.
8. Success.

Here is the exception below. From some debugging I did, it looks like ProcessAuthentication is called twice concurrently. This probably accounts for repeated exception?

Please let me know what I can do to help or other info that might be needed.

Thanks,

Guerry

== BEGIN ==

Unhandled Exception:
System.NullReferenceException: Object reference not set to an instance of an object
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Net.LazyAsyncResult lazyResult) [0x000ce] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at Mono.Net.Security.MobileAuthenticatedStream.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate, System.Boolean clientCertificateRequired, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x00010] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at Mono.Net.Security.Private.MonoSslStreamWrapper.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate, System.Boolean clientCertificateRequired, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x00006] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.HttpConnection.Init () [0x0001d] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.HttpConnection..ctor (System.Net.Sockets.Socket sock, System.Net.EndPointListener epl, System.Boolean secure, System.Security.Cryptography.X509Certificates.X509Certificate cert) [0x00096] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.EndPointListener.ProcessAccept (System.Net.Sockets.SocketAsyncEventArgs args) [0x00052] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.EndPointListener.OnAccept (System.Object sender, System.Net.Sockets.SocketAsyncEventArgs e) [0x00000] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.Sockets.SocketAsyncEventArgs.OnCompleted (System.Net.Sockets.SocketAsyncEventArgs e) [0x00014] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.Sockets.SocketAsyncEventArgs.Complete () [0x00000] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.Sockets.Socket.<AcceptAsyncCallback>m__4 (System.IAsyncResult ares) [0x000a0] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.Sockets.SocketAsyncResult+<Complete>c__AnonStorey0.<>m__0 (System.Object _) [0x00000] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Threading.QueueUserWorkItemCallback.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem () [0x00019] in <992e99568a1e41689358759ef1985394>:0
  at System.Threading.ThreadPoolWorkQueue.Dispatch () [0x00096] in <992e99568a1e41689358759ef1985394>:0
  at System.Threading._ThreadPoolWaitCallback.PerformWaitCallback () [0x00000] in <992e99568a1e41689358759ef1985394>:0

Unhandled Exception:
System.NullReferenceException: Object reference not set to an instance of an object
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Net.LazyAsyncResult lazyResult) [0x000ce] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at Mono.Net.Security.MobileAuthenticatedStream.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate, System.Boolean clientCertificateRequired, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x00010] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at Mono.Net.Security.Private.MonoSslStreamWrapper.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate, System.Boolean clientCertificateRequired, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x00006] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.HttpConnection.Init () [0x0001d] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.HttpConnection..ctor (System.Net.Sockets.Socket sock, System.Net.EndPointListener epl, System.Boolean secure, System.Security.Cryptography.X509Certificates.X509Certificate cert) [0x00096] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.EndPointListener.ProcessAccept (System.Net.Sockets.SocketAsyncEventArgs args) [0x00052] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.EndPointListener.OnAccept (System.Object sender, System.Net.Sockets.SocketAsyncEventArgs e) [0x00000] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.Sockets.SocketAsyncEventArgs.OnCompleted (System.Net.Sockets.SocketAsyncEventArgs e) [0x00014] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.Sockets.SocketAsyncEventArgs.Complete () [0x00000] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.Sockets.Socket.<AcceptAsyncCallback>m__4 (System.IAsyncResult ares) [0x000a0] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.Sockets.SocketAsyncResult+<Complete>c__AnonStorey0.<>m__0 (System.Object _) [0x00000] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Threading.QueueUserWorkItemCallback.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem () [0x00019] in <992e99568a1e41689358759ef1985394>:0
  at System.Threading.ThreadPoolWorkQueue.Dispatch () [0x00096] in <992e99568a1e41689358759ef1985394>:0
  at System.Threading._ThreadPoolWaitCallback.PerformWaitCallback () [0x00000] in <992e99568a1e41689358759ef1985394>:0
[ERROR] FATAL UNHANDLED EXCEPTION: System.NullReferenceException: Object reference not set to an instance of an object
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Net.LazyAsyncResult lazyResult) [0x000ce] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at Mono.Net.Security.MobileAuthenticatedStream.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate, System.Boolean clientCertificateRequired, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x00010] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at Mono.Net.Security.Private.MonoSslStreamWrapper.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate, System.Boolean clientCertificateRequired, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x00006] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.HttpConnection.Init () [0x0001d] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.HttpConnection..ctor (System.Net.Sockets.Socket sock, System.Net.EndPointListener epl, System.Boolean secure, System.Security.Cryptography.X509Certificates.X509Certificate cert) [0x00096] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.EndPointListener.ProcessAccept (System.Net.Sockets.SocketAsyncEventArgs args) [0x00052] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.EndPointListener.OnAccept (System.Object sender, System.Net.Sockets.SocketAsyncEventArgs e) [0x00000] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.Sockets.SocketAsyncEventArgs.OnCompleted (System.Net.Sockets.SocketAsyncEventArgs e) [0x00014] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.Sockets.SocketAsyncEventArgs.Complete () [0x00000] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.Sockets.Socket.<AcceptAsyncCallback>m__4 (System.IAsyncResult ares) [0x000a0] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.Sockets.SocketAsyncResult+<Complete>c__AnonStorey0.<>m__0 (System.Object _) [0x00000] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Threading.QueueUserWorkItemCallback.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem () [0x00019] in <992e99568a1e41689358759ef1985394>:0
  at System.Threading.ThreadPoolWorkQueue.Dispatch () [0x00096] in <992e99568a1e41689358759ef1985394>:0
  at System.Threading._ThreadPoolWaitCallback.PerformWaitCallback () [0x00000] in <992e99568a1e41689358759ef1985394>:0
[ERROR] FATAL UNHANDLED EXCEPTION: System.NullReferenceException: Object reference not set to an instance of an object
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Net.LazyAsyncResult lazyResult) [0x000ce] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at Mono.Net.Security.MobileAuthenticatedStream.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate, System.Boolean clientCertificateRequired, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x00010] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at Mono.Net.Security.Private.MonoSslStreamWrapper.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate, System.Boolean clientCertificateRequired, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x00006] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.HttpConnection.Init () [0x0001d] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.HttpConnection..ctor (System.Net.Sockets.Socket sock, System.Net.EndPointListener epl, System.Boolean secure, System.Security.Cryptography.X509Certificates.X509Certificate cert) [0x00096] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.EndPointListener.ProcessAccept (System.Net.Sockets.SocketAsyncEventArgs args) [0x00052] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.EndPointListener.OnAccept (System.Object sender, System.Net.Sockets.SocketAsyncEventArgs e) [0x00000] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.Sockets.SocketAsyncEventArgs.OnCompleted (System.Net.Sockets.SocketAsyncEventArgs e) [0x00014] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.Sockets.SocketAsyncEventArgs.Complete () [0x00000] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.Sockets.Socket.<AcceptAsyncCallback>m__4 (System.IAsyncResult ares) [0x000a0] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Net.Sockets.SocketAsyncResult+<Complete>c__AnonStorey0.<>m__0 (System.Object _) [0x00000] in <1d0bf0ce964143aaa1cd5c0057775cb4>:0
  at System.Threading.QueueUserWorkItemCallback.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem () [0x00019] in <992e99568a1e41689358759ef1985394>:0
  at System.Threading.ThreadPoolWorkQueue.Dispatch () [0x00096] in <992e99568a1e41689358759ef1985394>:0
  at System.Threading._ThreadPoolWaitCallback.PerformWaitCallback () [0x00000] in <992e99568a1e41689358759ef1985394>:0

== END ==
Comment 1 Martin Baulig 2016-11-11 11:30:53 UTC
Possibly related to #46549 and #42391 - the stack trace looks similar.
Comment 2 Guerry Semones 2016-12-08 17:13:30 UTC
Do we have any idea of the priority on this bug? Unless there is a work-around, our product project is blocked by this issue.

Much thanks,

Guerry
Comment 3 Rusty 2016-12-28 21:21:44 UTC
After upgrading our Mac Application (also OWIN Self-host) to use the new BTLS provider we're also getting this same exception.  We're also very interested in the fix or any work-around we could code.

Thanks,
Rusty

Unhandled Exception:
System.NullReferenceException: Object reference not set to an instance of an object
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Net.LazyAsyncResult lazyResult) [0x00077] in /private/tmp/source-mono-4.8.0/bockbuild-mono-4.8.0-branch/profiles/mono-mac-xamarin/build-root/mono-x86/mcs/class/System/Mono.Net.Security/MobileAuthenticatedStream.cs:217 
  at Mono.Net.Security.MobileAuthenticatedStream.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate, System.Boolean clientCertificateRequired, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x00010] in /private/tmp/source-mono-4.8.0/bockbuild-mono-4.8.0-branch/profiles/mono-mac-xamarin/build-root/mono-x86/mcs/class/System/Mono.Net.Security/MobileAuthenticatedStream.cs:154 
  at Mono.Net.Security.Private.MonoSslStreamWrapper.AuthenticateAsServer (System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate, System.Boolean clientCertificateRequired, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x00000] in /private/tmp/source-mono-4.8.0/bockbuild-mono-4.8.0-branch/profiles/mono-mac-xamarin/build-root/mono-x86/mcs/class/System/Mono.Net.Security/MonoSslStreamWrapper.cs:100 
  at System.Net.HttpConnection.Init () [0x0000b] in /private/tmp/source-mono-4.8.0/bockbuild-mono-4.8.0-branch/profiles/mono-mac-xamarin/build-root/mono-x86/mcs/class/System/System.Net/HttpConnection.cs:114 
  at System.Net.HttpConnection..ctor (System.Net.Sockets.Socket sock, System.Net.EndPointListener epl, System.Boolean secure, System.Security.Cryptography.X509Certificates.X509Certificate cert) [0x00096] in /private/tmp/source-mono-4.8.0/bockbuild-mono-4.8.0-branch/profiles/mono-mac-xamarin/build-root/mono-x86/mcs/class/System/System.Net/HttpConnection.cs:100 
  at System.Net.EndPointListener.ProcessAccept (System.Net.Sockets.SocketAsyncEventArgs args) [0x00052] in /private/tmp/source-mono-4.8.0/bockbuild-mono-4.8.0-branch/profiles/mono-mac-xamarin/build-root/mono-x86/mcs/class/System/System.Net/EndPointListener.cs:124 
  at System.Net.EndPointListener.OnAccept (System.Object sender, System.Net.Sockets.SocketAsyncEventArgs e) [0x00000] in /private/tmp/source-mono-4.8.0/bockbuild-mono-4.8.0-branch/profiles/mono-mac-xamarin/build-root/mono-x86/mcs/class/System/System.Net/EndPointListener.cs:133 
  at System.Net.Sockets.SocketAsyncEventArgs.OnCompleted (System.Net.Sockets.SocketAsyncEventArgs e) [0x00014] in /private/tmp/source-mono-4.8.0/bockbuild-mono-4.8.0-branch/profiles/mono-mac-xamarin/build-root/mono-x86/mcs/class/System/System.Net.Sockets/SocketAsyncEventArgs.cs:210 
  at System.Net.Sockets.SocketAsyncEventArgs.Complete () [0x00000] in /private/tmp/source-mono-4.8.0/bockbuild-mono-4.8.0-branch/profiles/mono-mac-xamarin/build-root/mono-x86/mcs/class/System/System.Net.Sockets/SocketAsyncEventArgs.cs:200 
  at System.Net.Sockets.Socket.<AcceptAsyncCallback>m__0 (System.IAsyncResult ares) [0x000a0] in /private/tmp/source-mono-4.8.0/bockbuild-mono-4.8.0-branch/profiles/mono-mac-xamarin/build-root/mono-x86/mcs/class/System/System.Net.Sockets/Socket.cs:945 
  at System.Net.Sockets.SocketAsyncResult+<Complete>c__AnonStorey0.<>m__0 (System.Object _) [0x00000] in /private/tmp/source-mono-4.8.0/bockbuild-mono-4.8.0-branch/profiles/mono-mac-xamarin/build-root/mono-x86/mcs/class/System/System.Net.Sockets/SocketAsyncResult.cs:150 
  at System.Threading.QueueUserWorkItemCallback.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem () [0x00019] in /private/tmp/source-mono-4.8.0/bockbuild-mono-4.8.0-branch/profiles/mono-mac-xamarin/build-root/mono-x86/mcs/class/referencesource/mscorlib/system/threading/threadpool.cs:1277 
  at System.Threading.ThreadPoolWorkQueue.Dispatch () [0x00096] in /private/tmp/source-mono-4.8.0/bockbuild-mono-4.8.0-branch/profiles/mono-mac-xamarin/build-root/mono-x86/mcs/class/referencesource/mscorlib/system/threading/threadpool.cs:854 
  at System.Threading._ThreadPoolWaitCallback.PerformWaitCallback () [0x00000] in /private/tmp/source-mono-4.8.0/bockbuild-mono-4.8.0-branch/profiles/mono-mac-xamarin/build-root/mono-x86/mcs/class/referencesource/mscorlib/system/threading/threadpool.cs:1209
Comment 4 Alexander Köplinger [MSFT] 2017-01-10 21:45:35 UTC
I opened a pull request for the main issue here: https://github.com/mono/mono/pull/4224

With this fix hitting the SignalR hub URL via curl works and returns the JS, but doing the same in a browser (e.g. Chrome) still seems to crash the app. However, I'm seeing the same behavior with the legacy TLS on Mono 4.6.2 so it might be a different issue.

@Guerry thank you very much for the excellent repro project!
Comment 5 Guerry Semones 2017-01-10 22:31:52 UTC
Yay! Much thanks Alexander!

I'll try and pull the bits and test on our end!
Comment 6 Alexander Köplinger [MSFT] 2017-01-20 15:26:45 UTC
*** Bug 51617 has been marked as a duplicate of this bug. ***
Comment 7 Rusty 2017-02-02 20:22:30 UTC
Hey Guerry,

Were you able to get SignlaR self-hosting via SSL working on your end?  Our solution is currently working good on Mono 4.2.3, but we now must upgrade for TLS 1.2 support.  After upgrading, we ran into this bug, but we are now getting passed it with Alexander’s modifications so we no longer crash when requesting the SignalR Proxy.  We’re running into a separate issue now (only when using SSL) where SignalR sporadically hangs on the negotiate request.  I’ve found that if I take that request and put it into the browser URL and run manually it will work one time and then hang the next (The request will stay pending) over and over again.

I’ve been working on this for a couple of weeks now and have reproduced this behavior with JavaScript and .NET clients on Mac.  Are you experiencing any similar behavior on your end?

Thanks,
Rusty
Comment 8 Guerry Semones 2017-02-06 15:13:59 UTC
Hi Rusty,

Sorry, no, life got complicated illness and such, and I have yet to get back and test this, which is frustrating. Also, I've moved my project to Xamarin.Mac, and am not sure when this fix will appear in the distribution, nor how to find that out. Hints anyone? 

We have not seen that kind of SignalR behavior at all in the absence of TLS 1.2, and so would assume it may be related. I'd suggest you create another bug entry and share your code and the steps to reproduce. If you don't mind, post the bug number here or message me so I can track what happens there too.

Thanks,

Guerry
Comment 9 Rusty 2017-02-06 15:57:59 UTC
Thanks Guerry, I hear you on that, we just got out of the hospital with the same!

That's what I figured needed to happen, funny I just told my team that's what I was going to be working on, creating a reproducible test app and Xamarin bug to share with others in hopes to resolve this issue more quickly.  

We have been using Xamarin.Mac for a little while now, but are new to Mono development, so it's been a nice change of pace to our normal .NET development. We actually had a business license before Microsoft purchased Xamarin.  This 46602 bug fix was applied to 4.8.0.459, but after reading the comments in the pull request, https://github.com/mono/mono/pull/4224, my guess is there will be further modifications.  As far as I can tell, we need to monitor that pull request and this bug to see when it actually gets applied to a release and not just an alpha or beta?  Maybe someone could elaborate on that?

I will for sure link the new bug in a comment here.  I'm happy to help you and others out in anyway I can, you're work in the mono requirement to have client side certificates for JS clients has definitely helped us out!
Comment 10 Guerry Semones 2017-02-06 16:04:47 UTC
Hey Rusty, if you've not pulled together a test app, you might try the one I posted with this bug and see if you can reproduce the issue with that. If you can or can't may be telling in and of itself....

You can get my email info in the link on my name at the top of the bug report.

Thanks!

Guerry