This is Xamarin's bug tracking system. For product support, please use the support links listed in your Xamarin Account.
Bug 44708 - "TrustFailure (The authentication or decryption has failed.) ... Invalid certificate received from server." with "Error code: 0x5" or "Error code: 0xffffffff800b010f" when attempting to access HTTPS servers on ports other than 443
Summary: "TrustFailure (The authentication or decryption has failed.) ... Invalid cert...
Status: VERIFIED FIXED
Alias: None
Product: Class Libraries
Classification: Mono
Component: Mono.Security (show other bugs)
Version: 4.6.0 (C8)
Hardware: PC All
: High critical
Target Milestone: 4.6.x (C8SR0)
Assignee: Martin Baulig
URL:
Depends on:
Blocks:
 
Reported: 2016-09-23 23:18 UTC by Brendan Zagaeski (Xamarin Support)
Modified: 2016-11-12 23:38 UTC (History)
15 users (show)

See Also:
Tags: BZRC8S1_C7SR1S1
Is this bug a regression?: Yes
Last known good build: Mono 4.4.2 (mono-4.4.0-branch-c7sr1/f72fe45)


Attachments

Description Brendan Zagaeski (Xamarin Support) 2016-09-23 23:18:06 UTC
"TrustFailure (The authentication or decryption has failed.) ... Invalid certificate received from server." with "Error code: 0x5" or "Error code: 0xffffffff800b010f" when attempting to access certain HTTPS servers




## Steps to replicate

Run the following lines in a `csharp` command prompt, but replace "problematic-server" with a server that demonstrates this issue (a private example will be provided in the next comment).


using System.Net;
var client = new WebClient()
client.DownloadString("https://problematic-server")




## Regression status: Regression in Cycle 8

BAD:  Mono 4.9.0 (master/112631f) (near the current tip of master)
BAD:  Mono 4.6.0 (mono-4.6.0-branch/8d0eee7) Cycle 8 SR 0
BAD:  Mono 4.6.0 (mono-4.6.0-branch/746756c) Cycle 8
GOOD: Mono 4.4.2 (mono-4.4.0-branch-c7sr1/f72fe45)




## BAD Results with 4.6.0, MONO_TLS_PROVIDER=oldtls

> System.Net.WebException: Error: TrustFailure (The authentication or decryption has failed.) ---> System.IO.IOException: The authentication or decryption has failed. ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received from server. Error code: 0x5
>   at Mono.Security.Protocol.Tls.RecordProtocol.EndReceiveRecord (System.IAsyncResult asyncResult) [0x00040] in <0cee4bcea64d4e89aeed3b94cb2550cd>:0 
>   at Mono.Security.Protocol.Tls.SslClientStream.SafeEndReceiveRecord (System.IAsyncResult ar, System.Boolean ignoreEmpty) [0x00000] in <0cee4bcea64d4e89aeed3b94cb2550cd>:0 
>   at Mono.Security.Protocol.Tls.SslClientStream.NegotiateAsyncWorker (System.IAsyncResult result) [0x00071] in <0cee4bcea64d4e89aeed3b94cb2550cd>:0 
>    --- End of inner exception stack trace ---
>   at Mono.Security.Protocol.Tls.SslClientStream.EndNegotiateHandshake (System.IAsyncResult result) [0x0003b] in <0cee4bcea64d4e89aeed3b94cb2550cd>:0 
>   at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (System.IAsyncResult asyncResult) [0x0000c] in <0cee4bcea64d4e89aeed3b94cb2550cd>:0 
>    --- End of inner exception stack trace ---
>   at Mono.Security.Protocol.Tls.SslStreamBase.EndRead (System.IAsyncResult asyncResult) [0x00057] in <0cee4bcea64d4e89aeed3b94cb2550cd>:0 
>   at Mono.Net.Security.Private.LegacySslStream.EndAuthenticateAsClient (System.IAsyncResult asyncResult) [0x00011] in <0cee4bcea64d4e89aeed3b94cb2550cd>:0 
>   at Mono.Net.Security.Private.LegacySslStream.AuthenticateAsClient (System.String targetHost, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x0000e] in <0cee4bcea64d4e89aeed3b94cb2550cd>:0 
>   at Mono.Net.Security.MonoTlsStream.CreateStream (System.Byte[] buffer) [0x00044] in <affe4060066c42de8cdd6027cdb92b56>:0 
>    --- End of inner exception stack trace ---
>   at System.Net.WebClient.DownloadDataInternal (System.Uri address, System.Net.WebRequest& request) [0x0008a] in <affe4060066c42de8cdd6027cdb92b56>:0 
>   at System.Net.WebClient.DownloadString (System.Uri address) [0x00027] in <affe4060066c42de8cdd6027cdb92b56>:0 
>   at System.Net.WebClient.DownloadString (System.String address) [0x00019] in <affe4060066c42de8cdd6027cdb92b56>:0 
>   at (wrapper remoting-invoke-with-check) System.Net.WebClient:DownloadString (string)
>   at <InteractiveExpressionClass>.Host (System.Object& $retval) [0x00000] in <98a9cd3da5cd43d684cd687cb77bc59f>:0 
>   at Mono.CSharp.Evaluator.Evaluate (System.String input, System.Object& result, System.Boolean& result_set) [0x0003e] in <2f520483831a438e93ee4a73cdd4212a>:0 
>   at Mono.CSharpShell.Evaluate (System.String input) [0x00000] in <693eac6b8b7545318543ea23138aba75>:0



## BAD Results with 4.6.0, MONO_TLS_PROVIDER=newtls

> System.Net.WebException: Error: SecureChannelFailure (Value cannot be null.
> Parameter name: type) ---> System.ArgumentNullException: Value cannot be null.
> Parameter name: type                     
>   at System.Activator.CreateInstance (System.Type type, System.Reflection.BindingFlags bindingAttr, System.Reflection.Binder binder, System.Object[] args, System.Globalization.CultureInfo culture, System.Object[] activationAttributes) [0x00006] in <94fd79a3b7144c54b4cb162b50fc7761>:0 
>   at System.Activator.CreateInstance (System.Type type, System.Object[] args) [0x00000] in <94fd79a3b7144c54b4cb162b50fc7761>:0 
>   at Mono.Security.Providers.NewTls.TlsProviderFactory.CreateInstance (System.String typeName, System.Object[] args) [0x00011] in <91c1b63e4625481a83d1d54619cbcf63>:0                    
>   at Mono.Security.Providers.NewTls.TlsProviderFactory.CreateTlsConfiguration (System.String hostname, System.Boolean serverMode, Mono.Security.Interface.TlsProtocols protocolFlags, System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate, System.Boolean remoteCertRequired, Mono.Security.Interface.MonoTlsSettings settings) [0x00059] in <91c1b63e4625481a83d1d54619cbcf63>:0 
>   at Mono.Security.Providers.NewTls.NewTlsProvider.CreateTlsContext (System.String hostname, System.Boolean serverMode, Mono.Security.Interface.TlsProtocols protocolFlags, System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, System.Boolean remoteCertRequired, Mono.Security.Interface.MonoEncryptionPolicy encryptionPolicy, Mono.Security.Interface.MonoTlsSettings settings) [0x00000] in <91c1b63e4625481a83d1d54619cbcf63>:0 
>   at Mono.Net.Security.Private.MonoTlsProviderWrapper.CreateTlsContext (System.String hostname, System.Boolean serverMode, Mono.Security.Interface.TlsProtocols protocolFlags, System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, System.Boolean remoteCertRequired, System.Boolean checkCertName, System.Boolean checkCertRevocationStatus, Mono.Security.Interface.MonoEncryptionPolicy encryptionPolicy, Mono.Security.Interface.MonoTlsSettings settings) [0x00000] in <a90781a528a147a79e304696736ffe3d>:0 
>   at System.Net.Security.GlobalSSPI.Create (System.String hostname, System.Boolean serverMode, System.Net.Security.SchProtocols protocolFlags, System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, System.Boolean remoteCertRequired, System.Boolean checkCertName, System.Boolean checkCertRevocationStatus, System.Net.Security.EncryptionPolicy encryptionPolicy, System.Net.Security.LocalCertSelectionCallback certSelectionDelegate, System.Net.Security.RemoteCertValidationCallback remoteValidationCallback, System.Net.Security.SSPIConfiguration userConfig) [0x00035] in <a90781a528a147a79e304696736ffe3d>:0 
>   at System.Net.Security.SecureChannel..ctor (System.String hostname, System.Boolean serverMode, System.Net.Security.SchProtocols protocolFlags, System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, System.Boolean remoteCertRequired, System.Boolean checkCertName, System.Boolean checkCertRevocationStatus, System.Net.Security.EncryptionPolicy encryptionPolicy, System.Net.Security.LocalCertSelectionCallback certSelectionDelegate, System.Net.Security.RemoteCertValidationCallback remoteValidationCallback, System.Net.Security.SSPIConfiguration config) [0x00093] in <a90781a528a147a79e304696736ffe3d>:0 
>   at System.Net.Security.SslState.ValidateCreateContext (System.Boolean isServer, System.String targetHost, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, System.Boolean remoteCertRequired, System.Boolean checkCertRevocationStatus, System.Boolean checkCertName) [0x0011b] in <a90781a528a147a79e304696736ffe3d>:0 
>   at System.Net.Security.SslState.ValidateCreateContext (System.Boolean isServer, System.String targetHost, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Security.Cryptography.X509Certificates.X509Certificate serverCertificate, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, System.Boolean remoteCertRequired, System.Boolean checkCertRevocationStatus) [0x00000] in <a90781a528a147a79e304696736ffe3d>:0 
>   at System.Net.Security.SslStream.AuthenticateAsClient (System.String targetHost, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x00000] in <a90781a528a147a79e304696736ffe3d>:0 
>   at Mono.Net.Security.Private.MonoSslStreamWrapper.AuthenticateAsClient (System.String targetHost, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x00006] in <affe4060066c42de8cdd6027cdb92b56>:0 
>   at Mono.Net.Security.MonoTlsStream.CreateStream (System.Byte[] buffer) [0x00044] in <affe4060066c42de8cdd6027cdb92b56>:0 
>    --- End of inner exception stack trace ---
>   at System.Net.WebClient.DownloadDataInternal (System.Uri address, System.Net.WebRequest& request) [0x0008a] in <affe4060066c42de8cdd6027cdb92b56>:0 
>   at System.Net.WebClient.DownloadString (System.Uri address) [0x00027] in <affe4060066c42de8cdd6027cdb92b56>:0 
>   at System.Net.WebClient.DownloadString (System.String address) [0x00019] in <affe4060066c42de8cdd6027cdb92b56>:0 
>   at (wrapper remoting-invoke-with-check) System.Net.WebClient:DownloadString (string)
>   at <InteractiveExpressionClass>.Host (System.Object& $retval) [0x00000] in <1cfcf61c67654fa396a4de42324aea64>:0 
>   at Mono.CSharp.Evaluator.Evaluate (System.String input, System.Object& result, System.Boolean& result_set) [0x0003e] in <2f520483831a438e93ee4a73cdd4212a>:0 
>   at Mono.CSharpShell.Evaluate (System.String input) [0x00000] in <693eac6b8b7545318543ea23138aba75>:0 



## Different "Error code" on Android (for searchability of the bug)

System.Net.WebException: Error: TrustFailure (The authentication or decryption has failed.) ---> System.IO.IOException: The authentication or decryption has failed. ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received from server. Error code: 0xffffffff800b010f




## GOOD results with Mono 4.4.2 

The HTML content of the page is downloaded and displayed successfully.
Comment 3 Brendan Zagaeski (Xamarin Support) 2016-09-24 00:14:00 UTC
## Partial workarounds for HttpClient only on Xamarin.Android and Xamarin.iOS: use alternate HttpClient handlers



### iOS

Select "CFNetwork (iOS 6+)" or "NSUrlSession (iOS 7+)" in the project properties.

Visual Studio:  "iOS Build > Advanced [tab] > HttpClient implementation"
Xamarin Studio: "iOS Build > HttpClient implementation"



### Android

Select AndroidClientHandler in the project properties.

Visual Studio:  "Android Options > Advanced [tab] > HttpClient Implementation"
Xamarin Studio: "Android Build > General [tab] > HttpClient implementation"

(Or install use ModernHttpClient: https://www.nuget.org/packages/modernhttpclient/)
Comment 4 Brendan Zagaeski (Xamarin Support) 2016-09-24 00:38:45 UTC
Unfortunately, when the SSL/TLS implementation is set to "Apple TLS" on iOS, the exception and stack trace produced by this problem is identical to Bug 44225, even though the 2 problems are clearly distinct because Bug 44225 bug _only affected_ "Apple TLS" but this bug also affects Mono TLS.



### For searchability, here is the _non-specific_ TLS exception message and top of the stack trace that appears for this bug on Xamarin.iOS when using the Apple TLS setting

> Unhandled Exception:
> System.AggregateException: One or more errors occurred. ---> System.Net.WebException: Error: TrustFailure (CertificateUnknown) ---> Mono.Security.Interface.TlsException: CertificateUnknown
>   at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Net.LazyAsyncResult lazyResult) [0x00077] in /Users/builder/data/lanes/3818/c9eb5b03/source/xamarin-macios/_ios-build/Library/Frameworks/Xamarin.iOS.framework/Versions/git/src/mono/mcs/class/System/Mono.Net.Security/MobileAuthenticatedStream.cs:217 
>   at Mono.Net.Security.MobileAuthenticatedStream.AuthenticateAsClient (System.String targetHost, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x0000c] in /Users/builder/data/lanes/3818/c9eb5b03/source/xamarin-macios/_ios-build/Library/Frameworks/Xamarin.iOS.framework/Versions/git/src/mono/mcs/class/System/Mono.Net.Security/MobileAuthenticatedStream.cs:125 
>   at Mono.Net.Security.Private.MonoSslStreamWrapper.AuthenticateAsClient (System.String targetHost, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x00000] in /Users/builder/data/lanes/3818/c9eb5b03/source/xamarin-macios/_ios-build/Library/Frameworks/Xamarin.iOS.framework/Versions/git/src/mono/mcs/class/System/Mono.Net.Security/MonoSslStreamWrapper.cs:75 
>   at Mono.Net.Security.MonoTlsStream.CreateStream (System.Byte[] buffer) [0x0001e] in /Users/builder/data/lanes/3818/c9eb5b03/source/xamarin-macios/_ios-build/Library/Frameworks/Xamarin.iOS.framework/Versions/git/src/mono/mcs/class/System/Mono.Net.Security/MonoTlsStream.cs:99
Comment 5 Brendan Zagaeski (Xamarin Support) 2016-09-24 01:57:40 UTC
This might be related to the port used to access the server.  The one example seen so far uses a port other than the default HTTPS port 443, and switching the request to use the default port 443 does avoid the issue for that particular example.
Comment 6 NMackay 2016-09-26 09:29:11 UTC
Hi,

In our case I can confirm the ports used are not 443, they are in 8000 range.

I'll reply directly to the support ticket and can provide further technical information. The server is a VM Server, 2008 R2.


Changing the AndroidClientHandler settings makes no difference, no luck with altering the iOS settings either, same issues persist.

The only way to get it working is to use ServicePointManager to override the certificate callback error (as we have had to do with simulators since 2014) but for production endpoints that is a no no from a security point of view.

Thanks,
Norman.
Comment 8 bill 2016-09-27 15:03:25 UTC
I should mention that I have two separate Android projects, which use common (but not shared) code for talking to the exact same host end point (which uses a port in the 8000 range as well).

One works fine.  The other sees this error.

I am looking for differences between the apps, but haven't had any luck yet.

-Bill
Comment 9 NMackay 2016-09-27 17:02:25 UTC
In our case the apps are all Xamarin Forms PCL apps.

One app hits a different WebAPI to the other two apps which consume a WCF Restful endpoint but in all case they use the same (purchased) certificate, not self signed.

All 3 apps have the same issue.

-Norman.
Comment 10 NMackay 2016-09-30 12:33:45 UTC
Any update on this? this is critical for us!
Comment 11 Miguel de Icaza 2016-10-01 17:17:47 UTC
We are looking into this, we agree this is critical.
Comment 16 Miguel de Icaza 2016-10-02 00:25:17 UTC
I have applied the fixes to:

* Mono on mono-4.6.0-branch 
* xamarin-macios on cycle8 and master branches.

We still need to bump the mono dependency on xamarin-android and xamarin-macios to pull the new version of Mono.
Comment 17 Nathan Stryker 2016-10-03 19:29:49 UTC
Hi Miguel -

I have switched to the Beta channel, and I am still having this issue. Is the Beta channel supposed to be fixed?
Comment 18 Brendan Zagaeski (Xamarin Support) 2016-10-03 20:21:44 UTC
The patches are not yet published on an updater channel for any product.  The patches have been applied to the Mono development branches as of October 2016-10-01.  The last Beta channel release was 2016-09-30 [1].

[1] (Information current as of today 2016-10-03 as per http://releases.xamarin.com/)
Comment 19 NMackay 2016-10-04 09:46:16 UTC
Great it's fixed but would be nice if there was emergency mono patch for customers affected by this (like the 4.2.0.698 VS build to fix the android project incompatibility which was also caused by test recorder), we've had to stall Android and iOS dev which only leaves UWP but we're not releasing any Forms UWP apps till some issues are fixed and the performance improves a bit.
Comment 21 Brendan Zagaeski (Xamarin Support) 2016-10-04 17:24:30 UTC
## Non-engineering-team reply

Creation of patched builds for direct availability in this bug report or publication to an updater channel are planned.  Work is underway, but I don't have precise details on the timelines yet.  My rough guess based just on the fact that a candidate patch now exists in the Mono development source code is that builds might be available before the end of the week.
Comment 22 NMackay 2016-10-04 17:30:30 UTC
Thanks for the update Brendan, it's appreciated.
Comment 23 NMackay 2016-10-05 09:40:27 UTC
Tested the latest patch today with iOS and Android and HTTPS all working again.

Thanks to everyone for getting this patch out so quickly.
Comment 24 Tiffany 2016-10-05 13:12:44 UTC
Updated and Tested on my sample project that I used to send to the support team and all is passing green! Thanks to everyone who worked on this and made this fix possible!
Comment 25 Brendan Zagaeski (Xamarin Support) 2016-10-20 03:00:01 UTC
## Bookkeeping

Adjusting target milestone for precise bookkeeping.  This patch was included in the updated builds for Cycle 8 SR 0 [1] and was verified by both QA and users (as in Comment 23 and Comment 24) in those version.

[1] https://releases.xamarin.com/stable-release-cycle-8-service-release-0/
Comment 26 Lannes-Lacrouts Guillaume 2016-10-21 09:34:10 UTC
Hello , 

I have the same error on Duplicati (https://bugzilla.xamarin.com/show_bug.cgi?id=44615 )   . When this release will be updated?
Comment 27 Oleg Demchenko 2016-10-21 16:10:49 UTC
Hello Lannes-Lacrouts Guillaume, this fix should be in current Beta builds.
Comment 28 Brendan Zagaeski (Xamarin Support) 2016-10-21 17:21:25 UTC
Please note that this bug is about connection on ports other than port 443.  Bug 44615 specifies that the port in use is port 443.  Additionally, please note that the error in Bug 44615 does _not_ include the error message "Invalid certificate received from server", which is one of the key identifying features of this bug (Bug 44708).  "The authentication or decryption has failed" is a more general error message that has other causes.

Comment 26 and Comment 27 are therefore off-topic for this bug report.
Comment 29 Stefan Schoeb 2016-11-12 21:57:21 UTC Comment hidden (obsolete)
Comment 30 Brendan Zagaeski (Xamarin Support) 2016-11-12 23:38:53 UTC
Like Comment 26, Comment 29 matches Bug 26658 which is about compatibility with particular TLS 1.2 features.  It does not match this Bug 44708, which is about accessing TLS sites over ports other than 443.

Note You need to log in before you can comment on or make changes to this bug.