Reputation: 93
Suddenly getting "Error: TrustFailure (The authentication or decryption has failed.)" on my Xamarin Android app
Just out of the blue, my app started getting this error when making calls to a REST API via https. I was working on a mod that added an Intent to handle opening files of a certain file extension but I doubt that that was the cause.
Instead, the problem is similar to this one: Invalid certificate received from server
My cert is also by Comodo and has been installed since April of this year. The solution of disabling the COMODO RSA Certification Authority did not work.
The server is a VPS that the host underwent a hardware upgrade during the time that this error started to appear but I'm also not sure that that would be the reason since the browser shows SSL as fine and the iOS version of the app is also working fine.
The code in the app that makes the call to the server is in a utility class and I did not change that code at all. The minor change that I did was to add an intent which I then removed and the error is still there.
Here are the error messages including the inner exceptions and the stack trace:
System.Net.WebExceptionStatus.TrustFailure
ex.InnerException.Message - The authentication or decryption has failed.
ex.InnerException.InnerException.InnerException.Message - Invalid certificate received from server. Error code: 0xffffffff800b010b
ex.InnerException.InnerException.StackTrace
at Mono.Security.Protocol.Tls.RecordProtocol.EndReceiveRecord (System.IAsyncResult asyncResult) [0x0003a] in /Users/builder/data/lanes/3511/501e63ce/source/mono/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/RecordProtocol.cs:430
at Mono.Security.Protocol.Tls.SslClientStream.SafeEndReceiveRecord (System.IAsyncResult ar, System.Boolean ignoreEmpty) [0x00000] in /Users/builder/data/lanes/3511/501e63ce/source/mono/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslClientStream.cs:256
at Mono.Security.Protocol.Tls.SslClientStream.NegotiateAsyncWorker (System.IAsyncResult result) [0x00071] in /Users/builder/data/lanes/3511/501e63ce/source/mono/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslClientStream.cs:418
ex.InnerException.StackTrace
at Mono.Security.Protocol.Tls.SslStreamBase.EndRead (System.IAsyncResult asyncResult) [0x00051] in /Users/builder/data/lanes/3511/501e63ce/source/mono/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslStreamBase.cs:883
at Mono.Net.Security.Private.LegacySslStream.EndAuthenticateAsClient (System.IAsyncResult asyncResult) [0x00011] in /Users/builder/data/lanes/3511/501e63ce/source/mono/mcs/class/System/Mono.Net.Security/LegacySslStream.cs:475
at Mono.Net.Security.Private.LegacySslStream.AuthenticateAsClient (System.String targetHost, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x00000] in /Users/builder/data/lanes/3511/501e63ce/source/mono/mcs/class/System/Mono.Net.Security/LegacySslStream.cs:445
at Mono.Net.Security.MonoTlsStream.CreateStream (System.Byte[] buffer) [0x0004e] in /Users/builder/data/lanes/3511/501e63ce/source/mono/mcs/class/System/Mono.Net.Security/MonoTlsStream.cs:106
I'm using the standard port 443. I checked the bindings and there are no issues, it says that the cert is 'ok' when I view the certification path status.
I am getting the error when using an actual device, not an emulator.
Any help is appreciated.
***** update
I called Comodo's support and found out the issue is with Android's certificate store not being up to date and using the old legacy SHA. So the certification path 2 was coming back to the client with a 'Extra Download' status. There supposedly is a cert named 'COMODO RSA Certification Authority' in my server expiring in 2036 that interferes with 'COMODO RSA Certification Authority' intermediate certificate expiring in 2020. Here are the details of that cert:
[Root] Comodo RSA Certification Authority (SHA-2)
Serial Number: 4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
Validity (Expires) : Jan 18 23:59:59 2038 GMT
However, I couldn't find out in both local computer and current user. Since this is a VPS/virtual machine, the problem may be that the host machine may be adding this in the virtual network communication/response back to the client. The problem now is that the hosting company doesn't want to disable the cert in the host machine.
Upvotes: 2
Views: 6663
Answers (1)
Reputation: 93
I got it working. As I mentioned in my update above, the issue is with Android's certificate store not being up to date and using the old legacy SHA. So the certification path 2 was coming back to the client with a 'Extra Download' status. There is a cert named 'COMODO RSA Certification Authority' in expiring in 2036 that interferes with 'COMODO RSA Certification Authority' intermediate certificate expiring in 2020. I had already deleted it that's why I couldn't find it anymore.
The fix is to find & disable or delete this cert, replace it with new certs downloaded from Comodo's website, and rebooting the machine.
Here are the details of the cert to disable/delete:
[Root] Comodo RSA Certification Authority (SHA-2)
Serial Number: 4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
Validity (Expires) : Jan 18 23:59:59 2038 GMT
The new certs are:
comodorsadomainvalidationsecureserverca.crt
comodorsaaddtrustca.crt
addtrustexternalcaroot.crt
I can't find the page where I downloaded all three from, the Comodo tech support rep helped me navigate to this page.
To disable the cert, go into Certification Manager from the MMC, right click to open, click on the Details tab, click on the Edit Properties button and in the Certificate Purposes area, choose the 'Disable for all purposes' radio option.
Import the new certs and reboot.
And instead of using SSLChecker, I recommend SSL Server Test by Qualys SSL Labs (https://www.ssllabs.com/ssltest/index.html) as it's more accurate & detailed.
Upvotes: 2
Related Questions
- Xamarin: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found
- Xamarin: expired Let's Encrypt certificate and HttpClient
- Xamarin webview Android SSL error untrusted - how to add trusted certificate
- Is this the correct solve for CERTIFICATE_VERIFY_FAILED exception?
- Xamarin Android issue connecting via HTTPS to site with self-signed certificate: "Trust anchor for certification path not found."
- Xamarin Android error in (https, ssl, tls)
- Xamarin Android HttpWebClient with certificate: System.IO.IOException: The authentication or decryption has failed
- xamarin.android X509Certificate2 constructor/import failed with SecureString password instead of plain string
- Invalid certificate received from server xamarin.android
- Android SSL error: certificate not trusted…sometimes