Bug 8788 - Unsupported hash for SSL certificate
Summary: Unsupported hash for SSL certificate
Alias: None
Product: Class Libraries
Classification: Mono
Component: System (show other bugs)
Version: unspecified
Hardware: PC Mac OS
: --- normal
Target Milestone: Untriaged
Assignee: Martin Baulig
Depends on:
Reported: 2012-12-05 19:12 UTC by Jérémie Laval
Modified: 2018-03-13 11:07 UTC (History)
4 users (show)

Is this bug a regression?: ---
Last known good build:

It fixes the problem described in the case (1.24 KB, patch)
2013-10-30 08:30 UTC, Roman Procopie

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.

Please create a new report on GitHub or Developer Community with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:

Description Jérémie Laval 2012-12-05 19:12:01 UTC
ERROR building certificate chain: System.ArgumentException: certificate ---> System.Security.Cryptography.CryptographicException: Unsupported hash algorithm: 1.2.840.113549.1.1.11
  at Mono.Security.X509.X509Certificate.VerifySignature (System.Security.Cryptography.RSA rsa) [0x00000] in <filename unknown>:0 
  at Mono.Security.X509.X509Certificate.VerifySignature (System.Security.Cryptography.AsymmetricAlgorithm aa) [0x00000] in <filename unknown>:0 
  at System.Security.Cryptography.X509Certificates.X509Chain.IsSignedWith (System.Security.Cryptography.X509Certificates.X509Certificate2 signed, System.Security.Cryptography.AsymmetricAlgorithm pubkey) [0x00000] in <filename unknown>:0 
  at System.Security.Cryptography.X509Certificates.X509Chain.Process (Int32 n) [0x00000] in <filename unknown>:0 
  at System.Security.Cryptography.X509Certificates.X509Chain.ValidateChain (X509ChainStatusFlags flag) [0x00000] in <filename unknown>:0 
  at System.Security.Cryptography.X509Certificates.X509Chain.Build (System.Security.Cryptography.X509Certificates.X509Certificate2 certificate) [0x00000] in <filename unknown>:0 
  --- End of inner exception stack trace ---
  at System.Security.Cryptography.X509Certificates.X509Chain.Build (System.Security.Cryptography.X509Certificates.X509Certificate2 certificate) [0x00000] in <filename unknown>:0 
  at System.Net.ServicePointManager+ChainValidationHelper.ValidateChain (Mono.Security.X509.X509CertificateCollection certs) [0x00000] in <filename unknown>:0 
Please, report this problem to the Mono team

Certificate is the one used on https://neteril.org
Comment 1 Sebastien Pouliot 2012-12-06 08:17:43 UTC
1.2.840.113549.1.1.11 is SHA-256 with RSA Encryption and that's been supported for a while (longer in master than 2.10).

Exactly which version or Mono and OS was used ?

Also OSX (stated above) does not use this (by default) code path (but there were some buggy versions of Mono that did for a while).

$ mono --version
Mono JIT compiler version 2.10.10 (mono-2-10/4d9ada6 Wed Nov 28 22:38:28 EST 2012)
Copyright (C) 2002-2012 Novell, Inc, Xamarin, Inc and Contributors. www.mono-project.com
	TLS:           normal
	SIGSEGV:       normal
	Notification:  kqueue
	Architecture:  x86
	Disabled:      none
	Misc:          softdebug 
	LLVM:          yes(2.9svn-mono)
	GC:            Included Boehm (with typed GC)
$ cat wc.cs
using System;
using System.Net;

class Test {
	public static void Main (string[] args)
		foreach (string s in args) {
			Read (s);

	static void Read (string url)
		WebClient wc = new WebClient ();
		Console.WriteLine (wc.DownloadString (url)); 
}$ mcs wc.cs
$ mono wc.exe https://neteril.org
<!DOCTYPE html>
	<meta charset="utf-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
	<link href='http://fonts.googleapis.com/css?family=Sanchez' rel='stylesheet' type='text/css'>
	<link href="/css/bootstrap.css" rel="stylesheet" media="screen">
	<link href="/css/custom.css" rel="stylesheet" media="screen">
	<div class="container">
	  <h1 class="title">Neteril</h1>
	  <div class="menu">
		  <li><a href="/work">Work</a></li>
		  <li><a href="/stuff">Stuff</a></li>
		  <li><a href="/blog">Blog</a></li>
	  <div class="content">
		<p class="lead">Welcome traveler,</p>

		<p>My name is <span itemprop="name">Jérémie Laval</span> (aka <span itemprop="nickname">garuma</span> on the interweb). I'm a 20-something French and hacker at <a href="http://www.xamarin.com"><span itemprop="affiliation">Xamarin</span></a> where I help shape the future of mobile development. Previously a <a href="http://www.utbm.fr"><span itemprop="affiliation">UTBM</span></a> student too.</p>
		<p>In my spare time, I'm a free and open-source <span itemprop="title">software developer</span> and enthusiast. I use and abuse of the <a href="http://en.wikipedia.org/wiki/CSharp">C#</a> programming language and <a href="http://www.mono-project.com/">Mono</a> platform.</p>

		<p>I'm also a penguin user and supporter, mainly gliding with <a href="http://www.archlinux.org/">Arch Linux</a>.</p>
	  <div class="bottom-line">
		  <li><a href="https://twitter.com/jeremie_laval"><img src="/img/twitter.png"></a></li>
		  <li><a href="http://www.linkedin.com/in/jeremielaval"><img src="/img/in.png"></a></li>
		  <li><a href="https://github.com/garuma"><img src="/img/github.png"></a></li>

Comment 2 Jérémie Laval 2012-12-06 09:24:48 UTC
My bad,this is a recent MfA with some flavor of 2.10
Comment 3 Jonathan Pryor 2012-12-06 11:04:25 UTC
@Jérémie I suspect this is a dupe of Bug #7771, though that's with OID 1.2.840.113549.1.1.2, not 1.2.840.113549.1.1.11...
Comment 4 Roman Procopie 2013-10-30 08:30:35 UTC
Created attachment 5275 [details]
It fixes the problem described in the case

I have been experiencing the same on Mono 2.10.9 built from source on Linux

The patch attached fixes it. Basically I have added SHA256 as a valid hash algorithm. Not sure if the patch is complete, so far my program did not fail

To use the patch

- cd into the directory with mono source
- patch mcs/class/Mono.Security/Mono.Security.X509/X509Certificate.cs /path/to/mono_sha256_rsa_ssl_patch
- build mono as usual : configure --options.... ; make ; make install
Comment 5 Jonathan Pryor 2013-10-30 15:17:22 UTC
@Roman: That patch shouldn't be needed with XA 4.8.0 and later, as X509Certificate.cs already checks for 1.2.840.113549.1.1.11:

Comment 6 Roman Procopie 2013-10-31 03:36:20 UTC
Thanks, I thought it might be out of date with newer versions of Mono. However, in my case I cannot upgrade to the latest version of Mono due to other problems and people like me might appreciate it.

I can also see that my patch is incomplete, so for those that get to use it (on Mono 2.X), feel free to also add similarly.

1.2.840.113549.1.1.12 - SHA384 with RSA
1.2.840.113549.1.1.13 - SHA512 with RSA
Comment 7 Marek Safar 2018-03-13 11:07:26 UTC
We have not received the requested information. If you are still experiencing this issue please provide all the requested information and reopen the bug report.

Thank you!