-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mutual Authentication: Certificate chain removed when connecting to server in MAUI app but not Xamarin Forms #100602
Comments
I'm a bit confused, where is the chains missing? Also if you're on .NET 7/8, why are you using |
The missing chains is at the server. Server receives only chain[0]. All the other certificates in the chain are not provided. Using Xamarin Forms app with httpClient or HttpWebRequest both send the full chain of certificate to the server |
Can you provide us with a repro code? Preferably for both sides? Also if you have a working code, could you share that as well?
You can use |
Hi, Client code snippet:
At the server, we get the same result in ssl handshake function as above regarding certificate chain received from client: BTW, this is a mutual authentication SSL handshake using private CA Does it help understand the issue? Regards |
So the problem is in provided server certificate chain do the validation callback and that it differs based on what platform you compile for? And you claim this difference is between Xamarin Forms and MAUI? Isn't Xamarin foundation of MAUI? @simonrozsival do you know of any difference there? |
The problem is to provide certificate chain from the client to the server. |
@NexusMobile can you please try setting |
false already in csproj file to fix httpClientHandler.ClientCertificates being null without it. |
While building project using Xamarin Forms it works fine without |
I see. I originally misread the issue and I thought the problem is with sending the client certificate to the server. The problem actually is that the server's certificate chain doesn't seem to be passed to the
Xamarin.Forms and MAUI have different implementation of the networking layer. Xamarin.Forms uses BoringSSL or OpenSSL and MAUI/.NET 8 on Android uses Android's platform APIs. |
Unless mistaken this is my understanding too. |
@NexusMobile is the server's certificate self-signed? if it is, this would be a duplicate of #84202 The relevant part from the previous discussion:
|
@simonrozsival, Client and server certificates are self-signed by the same CA. For us the certification is valid. |
Hi, |
I think there is still some confusion in this thread. In the client code in the If I understand your situation correctly, you should include your CA's public key (and possibly also the public keys of the intermediate certifcates) in the client app using |
My mistake. You are absolutely right. I've tried Thanks |
I've replaced the self-signed Certificate the server sends to the client with a public certificate and I get the same empty chain. Is it possible to have access to the source code? |
That seems like bug and it is different from the issue I shared previously. I need to be able to replicate the issue so I can diagnose it. Can you create a minimal repro in a new MAUI project and share that as a public github repo? Ideally make requests to a public website, such as https://microsoft.com or https://badssl.com (there are multiple subdomains for example with a self-signed certificate). |
I will look into this. Also from our original post, the client's certificate sent to the server has his chain removed. The certificate's chain count should be 4 in our case but it returns 0. Thanks |
Thanks!
I think that is the most relevant one for your use case. The https://client.badssl.com/ should also be relevant for the other half of the problem you describe. |
The CACertificate problem is extensive and has appeared since 17.8 and it concerns the certificates. |
` var bind = new BasicHttpsBinding(BasicHttpsSecurityMode.Transport);
` |
Hi, Any progress/update about this issue? Thanks |
I thought this is where the
yes, it excludes the system CAs |
The "Trust" was primarily added to support #45456. It is also used later for validation in SslStream but it is not currently used for constructing the chain itself e.g. the logic assumes that any additional "useful" certificates will be in the "intermediates" collection (as it pre-dates the Trust object) I would not object to use the trust in chain construction in way similar to runtime/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Protocol.cs Lines 1076 to 1087 in 88a9f21
So far that was not needed by anybody. That would leave Android as special case but at least there would be path forward for users to make it work. It would make the use more complicated e.g. if you have certificate that is already trusted by the platform you should leave it empty and if you do have something that is not trusted you would need to construct the extra object. We could take extra steps to try to hide some of the platform differences to make it more consistent and easier for Android users. I can take first stab at it @simonrozsival but I don't have any good way at the moment how to test on Android. |
Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones |
This issue has been automatically marked |
Are you close to fix this issue? |
@NexusMobile yes, with the #103372 fix for |
I don't think it is too risky. But we would need strong justification for servicing. |
Unless mistaken, all Visual studio 2022 Android developer will not be able to use .Net 8 Mutual Authentication if it is not retrofited. This is why we raised this issue. |
Has a decision been made to backport to .Net 8? |
I opened a backport but it's not yet clear if it will be approved or not: #104541 |
Thanks. |
…CertificateContext (#104541) Backport of #103372 and #104016 to release/8.0-staging ## Customer Impact - [X] Customer reported (#100602) - [ ] Found internally Customers developing Android apps are currently unable to use mutual TLS authentication in certain cases as the `SslStreamCertificateContext.Create(...)` method will fail to build an X509Chain instance if the certificate isn't trusted by the OS due to the limitations of the Android platform. ## Regression - [ ] Yes - [X] No ## Testing Unit tests and manual testing on Android emulator. ## Risk Low. The change is mostly limited to Android where this API doesn't currently work in many cases. --------- Co-authored-by: Tomas Weinfurt <[email protected]> Co-authored-by: Vitek Karas <[email protected]>
Backported to 8.0 via #104541. Closing as fixed. |
When can we expect a new release with the bug fixes available? |
@NexusMobile should be out mid-August... if everything works as planned. |
Thanks |
The source code for the fixes is all open source: https://github.com/dotnet/runtime/pull/104541/files |
since it is merged you can simply build the staging branch @NexusMobile. And there will be binary bits published as well if you want them. Since the cutoff for merges was today I expect new 8.0 daily build in next few days. |
Thanks All, :-) |
MAUI apps package the runtime into the app - so you will have to rebuild your app with a new SDK. I don't think SDK updates via Windows Update, it may update via VS, but if you want to be sure, download it from https://dot.net . |
Super. Thanks again. |
This issue has been moved from a ticket on Developer Community.
Hi,
When connecting to the server but running the code using Xamarin Forms, the server received the full certificate chain.
Using MAUI .Net 7 or 8.0, only the client certificate is sent to the server. Certificate chain is empty.
Same certificate and server are used.
In HttpWebRequest ServerCertificateValidationCallback, chain.ChainElements is empty.
Certificate received by the server is valid.
Does anyone knows how to fix this?
Here's a snippet on the client:
Original Comments
Feedback Bot on 2/12/2024, 05:46 PM:
(private comment, text removed)
Original Solutions
(no solutions)
The text was updated successfully, but these errors were encountered: