Created attachment 25068 [details]
Test project showing the problem + root certificate to be installed
Since iOS 11, when I do a call using HttpClientHandler for a site which has a local root certificate installed, it fails verifying the chain. Using NSUrlSessionHandler, all is fine.
var netResultMessage = await (new HttpClient(new HttpClientHandler())).GetAsync("https://www.op-bezoek.nl/favicon.ico");
var nativeResultMessage = await (new HttpClient(new NSUrlSessionHandler())).GetAsync("https://www.op-bezoek.nl/favicon.ico");
an TrustFailure exception on the first line.
both calls succeed.
- iOS 11 (earlier versions work fine, device only)
- the Comodo root certificate (that is part of the certificate chain of the website) is manually installed (airdrop it to the iPhone and install it).
Some additional info:
- I need to use the Managed stack because I have some SOAP calls in my application.
- This is a simplified example for a managed device.
- I have a modified client handler (partially based on ModernHttpClient) that does not have this problem. So it seems to have to do with the way the HttpClientHandler connects to the SSL session native component.
- The installed certificate interferes only with the server for which the chain is based on that root certificate.
Visual Studio Enterprise 2017 for Mac
Version 7.1.5 (build 2)
Installation UUID: xxxxxxxxxxxxxxx
Mono 220.127.116.11 (d15-3/14f2c81) (64-bit)
GTK+ 2.24.23 (Raleigh theme)
Package version: 502000224
MSBuild SDKs: /Library/Frameworks/Mono.framework/Versions/5.2.0/lib/mono/msbuild/15.0/bin/Sdks
Location: /Applications/Xamarin Profiler.app/Contents/MacOS/Xamarin Profiler
Apple Developer Tools
Xcode 9.0 (13247)
Version: 18.104.22.168 (Visual Studio Enterprise)
Version: 22.214.171.124 (Visual Studio Enterprise)
Build date: 2017-09-15 02:25:56-0400
Version: 126.96.36.199 (Visual Studio Enterprise)
Android SDK: /Users/hlogmans/Library/Developer/Xamarin/android-sdk-macosx
Supported Android versions:
4.4 (API level 19)
5.0 (API level 21)
6.0 (API level 23)
7.0 (API level 24)
7.1 (API level 25)
SDK Tools Version: 26.0.2
SDK Platform Tools Version: 25.0.6
SDK Build Tools Version: 25.0.1
Java SDK: /usr
java version "1.8.0_111"
Java(TM) SE Runtime Environment (build 1.8.0_111-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.111-b14, mixed mode)
Android Designer EPL code available here:
Build date: Thu, 21 Sep 2017 19:52:53 GMT
Client compatibility: 1
Release ID: 701050002
Git revision: 7afedcaef8e7542e70e3cf8f9bdb26938b8c0876
Build date: 2017-09-15 08:39:58-04
Xamarin addins: 3262aadf811a18c12eac6742532d052b0139a808
Build lane: monodevelop-lion-d15-3-xcode9
Mac OS X 10.12.6
Darwin 16.7.0 Darwin Kernel Version 16.7.0
Thu Jun 15 17:36:27 PDT 2017
Enabled user installed addins
Redth's Addins 1.0.9
I can confirm I could reproduce this bug on an iOS 11 device (works fine on iOS 10) with the following environment: https://gist.github.com/VincentDondain/ca29ae37b4192a126fb510e4f907c837 (also tried with XI 10.12.3.3 and it failed too.
To repro you indeed need to install the Comodo root certificate (airdrop it to the iPhone and install it).
On iOS 11 I'm getting this output on screen:
Managed: Error: TrustFailure (CertificateUnknown)
Both bugs are using the same `Comodo` certificate and it's been noted that it works on iOS 10 but not iOS 11 too (https://bugzilla.xamarin.com/show_bug.cgi?id=58411#c5).
*** This bug has been marked as a duplicate of bug 58411 ***
Installed comodo certificate in iPhone with iOS 11 and reproduced the issue with XI 188.8.131.52 (d15-4 beta build).
Verified fix with XI 184.108.40.206. I am not getting any trust failure (certificate unknown) error on the same environment with fix.
## Test Env:
XI 220.127.116.11 (Success)
XI 18.104.22.168 (Failed)