TlsException on Mono

on Friday, August 15, 2014

For reference, if you’re using Mono and trying to use HttpWebRequest and friends to make a connection with a client certificate and you get an exception, it’s because you don’t have any trusted root certificates in the Mono certificate store (even if you are bypassing server certificate validation using the old trick of having a Validation handler returning true). You can fix this by doing

sudo mozroots --import --machine --sync

This will download synchronize the trusted root certificates from the Mozilla LXR web site into Mono’s machine trust store in an automated way. man mozroots for other options.

Exception that you’re likely to get if you don’t have a machine trust store:

Unhandled Exception:
System.Net.WebException: Error getting response stream (Write: The authentication or decryption has failed.): SendFailure ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received from server. Error code: 0xffffffff800b010a

at Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.RemoteValidation (Mono.Security.Protocol.Tls.ClientContext context, AlertDescription description) [0x00000] in <filename unknown>:0 
at Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.validateCertificates (Mono.Security.X509.X509CertificateCollection certificates) [0x00000] in <filename unknown>:0 
at Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.ProcessAsTls1 () [0x00000] in <filename unknown>:0 
at Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.ProcessAsSsl3 () [0x00000] in <filename unknown>:0 
at Mono.Security.Protocol.Tls.Handshake.HandshakeMessage.Process () [0x00000] in <filename unknown>:0 
at (wrapper remoting-invoke-with-check) Mono.Security.Protocol.Tls.Handshake.HandshakeMessage:Process ()
at Mono.Security.Protocol.Tls.ClientRecordProtocol.ProcessHandshakeMessage (Mono.Security.Protocol.Tls.TlsStream handMsg) [0x00000] in <filename unknown>:0 
at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 
--- End of inner exception stack trace ---

at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 
--- End of inner exception stack trace ---

at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 
at System.Net.HttpWebRequest.GetResponse () [0x00000] in <filename unknown>:0 
at EntryPoint.Main () [0x00000] in <filename unknown>:0 


directhex said...

I can't help but feel this is directed at me.

andreia|gaita said...

@directhex It's just one of those reminders-to-self that I occasionally post when I keep googling about stuff and always getting questions and never answers.

But I bet you can guess where this came from, so if the shoe fits... 8-)