Bug 59914 - Installed Root certificate breaks HttpClientHandler SSL in iOS 11
Summary: Installed Root certificate breaks HttpClientHandler SSL in iOS 11
Status: VERIFIED DUPLICATE of bug 58411
Alias: None
Product: iOS
Classification: Xamarin
Component: BCL Class Libraries (show other bugs)
Version: XI 11.0 (xcode9)
Hardware: Macintosh Mac OS
: --- normal
Target Milestone: Untriaged
Assignee: Bugzilla
URL:
Depends on:
Blocks:
 
Reported: 2017-10-03 13:01 UTC by Hugo Logmans
Modified: 2017-10-05 20:37 UTC (History)
4 users (show)

See Also:
Tags: X509Certificate TrustFailure Root Certificate
Is this bug a regression?: ---
Last known good build:


Attachments
Test project showing the problem + root certificate to be installed (18.58 KB, application/zip)
2017-10-03 13:01 UTC, Hugo Logmans
Details

Description Hugo Logmans 2017-10-03 13:01:14 UTC
Created attachment 25068 [details]
Test project showing the problem + root certificate to be installed

Since iOS 11, when I do a call using HttpClientHandler for a site which has a local root certificate installed, it fails verifying the chain. Using NSUrlSessionHandler, all is fine.

Example code:
    var netResultMessage = await (new HttpClient(new HttpClientHandler())).GetAsync("https://www.op-bezoek.nl/favicon.ico");
    var nativeResultMessage = await (new HttpClient(new NSUrlSessionHandler())).GetAsync("https://www.op-bezoek.nl/favicon.ico");

Result:
    an TrustFailure exception on the first line.

Expected:
    both calls succeed.

Context:
- iOS 11 (earlier versions work fine, device only)
- the Comodo root certificate (that is part of the certificate chain of the website) is manually installed (airdrop it to the iPhone and install it).

Some additional info:
- I need to use the Managed stack because I have some SOAP calls in my application.
- This is a simplified example for a managed device.
- I have a modified client handler (partially based on ModernHttpClient) that does not have this problem. So it seems to have to do with the way the HttpClientHandler connects to the SSL session native component.
- The installed certificate interferes only with the server for which the chain is based on that root certificate.


Version info:
Visual Studio Enterprise 2017 for Mac
Version 7.1.5 (build 2)
Installation UUID: xxxxxxxxxxxxxxx
Runtime:
	Mono 5.2.0.224 (d15-3/14f2c81) (64-bit)
	GTK+ 2.24.23 (Raleigh theme)

	Package version: 502000224

NuGet
Version: 4.3.0.2418

.NET Core
Runtime: /usr/local/share/dotnet/dotnet
Runtime Versions:
	1.1.1
	1.1.0
	1.0.4
SDK: /usr/local/share/dotnet/sdk/1.0.3/Sdks
SDK Versions:
	1.0.3
	1.0.0-preview2-1-003177
MSBuild SDKs: /Library/Frameworks/Mono.framework/Versions/5.2.0/lib/mono/msbuild/15.0/bin/Sdks

Xamarin.Profiler
Version: 1.5.5
Location: /Applications/Xamarin Profiler.app/Contents/MacOS/Xamarin Profiler

Apple Developer Tools
Xcode 9.0 (13247)
Build 9A235

Xamarin.Mac
Version: 3.6.3.3 (Visual Studio Enterprise)

Xamarin.iOS
Version: 11.0.0.0 (Visual Studio Enterprise)
Hash: 152b654a
Branch: xcode9
Build date: 2017-09-15 02:25:56-0400

Xamarin.Android
Version: 7.4.5.1 (Visual Studio Enterprise)
Android SDK: /Users/hlogmans/Library/Developer/Xamarin/android-sdk-macosx
	Supported Android versions:
		4.4 (API level 19)
		5.0 (API level 21)
		6.0 (API level 23)
		7.0 (API level 24)
		7.1 (API level 25)

SDK Tools Version: 26.0.2
SDK Platform Tools Version: 25.0.6
SDK Build Tools Version: 25.0.1

Java SDK: /usr
java version "1.8.0_111"
Java(TM) SE Runtime Environment (build 1.8.0_111-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.111-b14, mixed mode)

Android Designer EPL code available here:
https://github.com/xamarin/AndroidDesigner.EPL

Xamarin Inspector
Version: 1.3.1
Hash: cbc48dd
Branch: 1.3-release
Build date: Thu, 21 Sep 2017 19:52:53 GMT
Client compatibility: 1

Build Information
Release ID: 701050002
Git revision: 7afedcaef8e7542e70e3cf8f9bdb26938b8c0876
Build date: 2017-09-15 08:39:58-04
Xamarin addins: 3262aadf811a18c12eac6742532d052b0139a808
Build lane: monodevelop-lion-d15-3-xcode9

Operating System
Mac OS X 10.12.6
Darwin 16.7.0 Darwin Kernel Version 16.7.0
    Thu Jun 15 17:36:27 PDT 2017
    root:xnu-3789.70.16~2/RELEASE_X86_64 x86_64

Enabled user installed addins
Redth's Addins 1.0.9
Comment 1 Vincent Dondain [MSFT] 2017-10-03 18:32:13 UTC
Hi,

I can confirm I could reproduce this bug on an iOS 11 device (works fine on iOS 10) with the following environment: https://gist.github.com/VincentDondain/ca29ae37b4192a126fb510e4f907c837 (also tried with XI 10.12.3.3 and it failed too.

To repro you indeed need to install the Comodo root certificate (airdrop it to the iPhone and install it).

On iOS 11 I'm getting this output on screen:

```
Natrive: True
Managed: Error: TrustFailure (CertificateUnknown)
```
Comment 2 Vincent Dondain [MSFT] 2017-10-03 18:34:34 UTC
Both bugs are using the same `Comodo` certificate and it's been noted that it works on iOS 10 but not iOS 11 too (https://bugzilla.xamarin.com/show_bug.cgi?id=58411#c5).

*** This bug has been marked as a duplicate of bug 58411 ***
Comment 3 GouriKumari 2017-10-05 20:34:46 UTC
Installed comodo certificate in iPhone with iOS 11 and reproduced the issue with XI 11.2.0.8 (d15-4 beta build).

Verified fix with XI 11.2.0.10. I am not getting any trust failure (certificate unknown) error on the same environment with fix. 

## Logs:
Build log: 
https://gist.github.com/GouriKumari/15d0780b21ffcd7c0d89e011f6553ee9
https://gist.github.com/GouriKumari/5e6ea31b30fdb9d214e1f6d637fd7b99

## Test Env:
XI 11.2.0.10 (Success)
XI 11.2.0.8 (Failed)

Note You need to log in before you can comment on or make changes to this bug.