Cannot trust CertificationAuthority for TLS 1.2 ClientWebSocket Connection

[StevenBonePgh]

No functioning mechanism exists to connect to a websocket using wss: and TLS 1.2 when the server is using an otherwise valid certificate issued by a Certification Authority that is not trusted by the Android Device (OS Level).

Steps to Reproduce

1. The documented way to trust a Certification Authority in Android has no effect under Xamarin.Android. Apply the android:networkSecurityConfig="@xml/network_security_config" attribute to the application element in the AndroidManifest.xml file, including resources Resources\raw\sample_ca.pem Resources\xml\network_security_config.xml

   <?xml version="1.0" encoding="utf-8" ?>

This had no visible effect, and I cannot see anything in the debug output that would indicate that the runtime is even loading this. I have seen references to messages like this:

D/NetworkSecurityConfig: No Network Security Config specified, using platform default

However, with or without this in place I have never seen messages like this or similar. I really have no idea if it is being applied or not, or if btls implementation even uses/respects this.

Interestingly, since the Android minSdk is set to 24 and target sdk of 27 I would expect the lack of this declaration should cause TLS 1.2 to not work if I simply added the CA to the android device user certificate store. I suspect there are a few Xamarin bugs surrounding this.

2. Adding the CA Certificate to the X509 Store has no effect, either.

Add the CA to the X509 Store, hoping btls uses that as a source of certificates. This approach works on Windows/.NET 4 (it does bring up a dialog to accept the addition of the certificate).

        X509Store store = new X509Store(StoreName.Root, StoreLocation.CurrentUser);
        store.Open(OpenFlags.ReadWrite);
        var certs = store.Certificates.Find(X509FindType.FindByThumbprint, cert.Thumbprint, false);
        if (certs.Count == 0)
            store.Add(cert);
        store.Close();

3. ServicePointManager.ServerCertificateValidationCallback does not get called.

This never gets called in Xamarin Android, but this approach works on Windows/.NET 4.

ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, errors) =>
{
    if (errors == SslPolicyErrors.None)
        return true;    
    //BUGBUG: Obviously there should be a much more extensive check here.
    if (certificate.Issuer == caCert.Issuer)
        return true;    
    return false;
};

There are some Mono issues surrounding btls and a pull request that makes this approach look possible in the near future.

Expected Behavior

I would expect to be able to trust and/or verify (allow) a certificate for a TLS 1.2 connection to a server at the application level, without resorting to OS Level trust configuration, in at least one of the above ways.

Note that if the homemade CA Cert (.pem or .cer format) has been installed on the android device via Settings->Security->Install from SD Card, the ClientWebSocket connects using TLS 1.2 without problems, as one would expect. Since this is a global solution to a local problem, not to mention opening a security hole for the larger device ecosystem, I do not wish to require this setup.

Actual Behavior

No mechanism exists to allow a TLS 1.2 connection to succeed when the server's certificate is signed by an untrusted (by OS) CA.

Regardless of approach above, there is always the same exception thrown by ClientWebSocket.ConnectAsync(): A call to SSPI failed and Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED at /Users/builder/jenkins/workspace/xamarin-android-d15-8/xamarin-android/external/mono/external/boringssl/ssl/handshake_client.c:1132

I created a sample windows server and console app and Xamarin.Forms Android app that demonstrates the issue and the attempts to workaround it described above. Included is a custom CA cert. The server code dynamically issues a client cert with SANs bound to your IP/hostnames for ease of repro.

Client Environment is Xamarin Android Native TLS 1.2 SSL/TLS implementation (boringssl aka btls), using System.Net.WebSockets.ClientWebSocket. This is running on an Android 7.0 device. Visual Studio 2017 15.8.1, Xamarin.Android 9.0.0.18.

Server Environment is Windows .NET 4.7 running Fleck (WebSocket server) configured with TLS 1.2 using a certificate issued by a homemade (non-trusted anywhere on the globe) Certificate Authority (CA).

This was posted to StackOverflow 20 days ago, and since there are one or more potential bugs involved, I raised it here as well.

Version Information

Microsoft Visual Studio Enterprise 2017 Version 15.8.3 VisualStudio.15.Release/15.8.3+28010.2019 Microsoft .NET Framework Version 4.7.03056

Installed Version: Enterprise

Architecture Diagrams and Analysis Tools 00369-60000-00001-AA256 Microsoft Architecture Diagrams and Analysis Tools

Visual C++ 2017 00369-60000-00001-AA256 Microsoft Visual C++ 2017

ASP.NET and Web Tools 2017 15.8.05077.0 ASP.NET and Web Tools 2017

ASP.NET Core Razor Language Services 15.8.31590 Provides languages services for ASP.NET Core Razor.

ASP.NET Web Frameworks and Tools 2017 5.2.60618.0 For additional information, visit https://www.asp.net/

Atomineer Pro Documentation 1.0 Source-code documentation-comment creation and maintenance, and other documentation-related tools.

Azure App Service Tools v3.0.0 15.8.05023.0 Azure App Service Tools v3.0.0

C# Tools 2.9.0-beta8-63208-01 C# components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.

Common Azure Tools 1.10 Provides common services for use by Azure Mobile Services and Microsoft Azure Tools.

Extensibility Message Bus 1.1.49 (remotes/origin/d15-8@ee674f3) Provides common messaging-based MEF services for loosely coupled Visual Studio extension components communication and integration.

GitHub.VisualStudio 2.5.5.3913 A Visual Studio Extension that brings the GitHub Flow into Visual Studio.

IntelliCode Extension 1.0 IntelliCode Extension

IntellicodePackage Extension 1.0 IntellicodePackage Visual Studio Extension Detailed Info

JavaScript Language Service 2.0 JavaScript Language Service

JavaScript Project System 2.0 JavaScript Project System

JetBrains ReSharper Ultimate 2018.2.1 Build 182.0.20180829.63240 JetBrains ReSharper Ultimate package for Microsoft Visual Studio. For more information about ReSharper Ultimate, visit http://www.jetbrains.com/resharper. Copyright © 2018 JetBrains, Inc.

Microsoft Continuous Delivery Tools for Visual Studio 0.4 Simplifying the configuration of continuous build integration and continuous build delivery from within the Visual Studio IDE.

Microsoft JVM Debugger 1.0 Provides support for connecting the Visual Studio debugger to JDWP compatible Java Virtual Machines

Microsoft Library Manager 1.0 Install client-side libraries easily to any web project

Microsoft MI-Based Debugger 1.0 Provides support for connecting Visual Studio to MI compatible debuggers

Microsoft Visual C++ Wizards 1.0 Microsoft Visual C++ Wizards

Microsoft Visual Studio Tools for Containers 1.1 Develop, run, validate your ASP.NET Core applications in the target environment. F5 your application directly into a container with debugging, or CTRL + F5 to edit & refresh your app without having to rebuild the container.

Microsoft Visual Studio VC Package 1.0 Microsoft Visual Studio VC Package

MLGen Package Extension 1.0 MLGen Package Visual Studio Extension Detailed Info

Mono Debugging for Visual Studio 4.11.8-pre (009db7d) Support for debugging Mono processes with Visual Studio.

Node.js Tools 1.4.20802.1 Commit Hash:97e1085d8b4b8e3e51c398e910177f87e86d135e Adds support for developing and debugging Node.js apps in Visual Studio

NuGet Package Manager 4.6.0 NuGet Package Manager in Visual Studio. For more information about NuGet, visit http://docs.nuget.org/.

OzCode 1.0 Your road to Magical Debugging. http://www.oz-code.com

OzCodePackage Extension 1.0 OzCodePackage Visual Studio Extension Detailed Info

Pendletron.Vsix.LocateInTFS 1.0 Opens the source control explorer for the currently selected item

ProjectServicesPackage Extension 1.0 ProjectServicesPackage Visual Studio Extension Detailed Info

ResourcePackage Extension 1.0 ResourcePackage Visual Studio Extension Detailed Info

ResourcePackage Extension 1.0 ResourcePackage Visual Studio Extension Detailed Info

Sandcastle Help File Builder SHFB Visual Studio integration for the Sandcastle Help File Builder. https://GitHub.com/EWSoftware/SHFB

SQL Server Data Tools 15.1.61808.07020 Microsoft SQL Server Data Tools

SQL Server Reporting Services 14.0.1016.285 Microsoft SQL Server Reporting Services Designers Version 14.0.1016.285

SQLite & SQL Server Compact Toolbox 4.7 SQLite & SQL Server Compact Toolbox adds scripting, import, export, rename, query execution and much more to SQL Server Compact & SQLite Data Connections.

tangible T4 Editor 2.4.0 tangible engineering GmbH

TFS Source Control Explorer Extension 1.0 Visual Studio Extension for Team Foundation Server Source Control Explorer

TypeScript Tools 15.8.20801.2001 TypeScript Tools for Microsoft Visual Studio

Visual Assist For more information about Visual Assist, see the Whole Tomato Software website at http://www.WholeTomato.com. Copyright (c) 1997-2018 Whole Tomato Software, Inc.

Visual Basic Tools 2.9.0-beta8-63208-01 Visual Basic components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.

Visual C++ for Cross Platform Mobile Development (Android) 15.0.27924.00 Visual C++ for Cross Platform Mobile Development (Android)

Visual C++ for Cross Platform Mobile Development (iOS) 15.0.27825.00 Visual C++ for Cross Platform Mobile Development (iOS)

Visual F# Tools 10.2 for F# 4.5 15.8.0.0. Commit Hash: c55dd2c3d618eb93a8d16e503947342b1fa93556. Microsoft Visual F# Tools 10.2 for F# 4.5

Visual Studio Code Debug Adapter Host Package 1.0 Interop layer for hosting Visual Studio Code debug adapters in Visual Studio

Visual Studio Tools for Apache Cordova 15.123.7408.1 Visual Studio Tools for Apache Cordova

Visual Studio Tools for CMake 1.0 Visual Studio Tools for CMake

Visual Studio Tools for Containers 1.0 Visual Studio Tools for Containers

Visual Studio Tools for Universal Windows Apps 15.0.28010.00 The Visual Studio Tools for Universal Windows apps allow you to build a single universal app experience that can reach every device running Windows 10: phone, tablet, PC, and more. It includes the Microsoft Windows 10 Software Development Kit.

VisualStudio.Mac 1.0 Mac Extension for Visual Studio

WiX Toolset Visual Studio Extension 0.9.21.62588 WiX Toolset Visual Studio Extension version 0.9.21.62588 Copyright (c) .NET Foundation and contributors. All rights reserved.

Xamarin 4.11.0.758 (d15-8-xcode10@309af5cf6) Visual Studio extension to enable development for Xamarin.iOS and Xamarin.Android.

Xamarin Designer 4.14.253 (f2941f7cb) Visual Studio extension to enable Xamarin Designer tools in Visual Studio.

Xamarin Templates 1.1.116 (9619170) Templates for building iOS, Android, and Windows apps with Xamarin and Xamarin.Forms.

Xamarin.Android SDK 9.0.0.19 (HEAD/a8a3b0ec7) Xamarin.Android Reference Assemblies and MSBuild support.

Xamarin.iOS and Xamarin.Mac SDK 11.99.3.539 (1d5c334) Xamarin.iOS and Xamarin.Mac Reference Assemblies and MSBuild support.

Log File

[StevenBonePgh]

@jamesmontemagno As the author of Securing Web Requests with TLS 1.2, can you please provide additional information or raise the multiple issues raised above with the appropriate team(s), as there has been no comments on what I consider to be a large blocking issue with security implications. To get this scenario to work, folks must add a system wide CA cert at the device level - and like the recent Sennheiser cert developers can potentially do it wrong.

[haruby511]

I have same issue in Xamarin Android 9.0(Pie) SDK with Galaxy S9(API 28). My server using a self-signed certificate.

The HttpClient has no problem with https connections but the System.Net.ClientWebSocket cannot connect wss protocol. The connect method throw TlsException. I actually placed ServicePointManager.ServerCertificateValidationCallback as always return true and selected managed TLS implementation in project properties but there was no luck.

[fischja]

I have exactly the same issue as @haruby511. This is preventing my from developing with Xamarin.Android running in a local emulator against a locally hosted ASP.NET core web service - I have had to disable SSL for development. Has there been any progress on this?

[haruby511]

@fischja I have implemented my own websocket client. Constructor of SslStream accept validation callback such like ServicePointManager. Fortunately, the websocket protocol is not complex very much. Otherwise, try open source websockets.

[MasterEmit]

Any progress realted to this topic? We installed a CA at the device and used it to sign a server certificate. Tests with different browsers and tests with chrome at Android works perfectly. Trying to access it from Xamarin.Android failes with CERTIFICATE_VERIFY_FAILED. We need it for automated testing. Any idea how to solve it? We do not want to switch to http or just ignoring certificate errors. It should work. And of course we tried using NetworkSecurityConfig and so on. Without any success.

[JohnHe404]

If you want to use ssl encryption before officially fixing this bug, consider using this project

https://github.com/ninjasource/Ninja.WebSockets

https://github.com/ninjasource/Ninja.WebSockets/issues/18

[jpobst]

With support for Classic Xamarin.Android ended May 1st, 2024, this issue is likely no longer relevant.

If this still persists in .NET 8+, please open a new issue with updated information based on net8.0-android or greater. Please include a link to this issue for context.