Ask a Question

Certificate Validation Error Using Rebex HTTPS on Xamarin.Android with .NET Standard 2.0

0 votes
by (790 points)

We are using Rebex HTTPS R5.0 in a Xamarin for Android project, build using Visual Studio 2019 version 16.9.4, for devices running Android 10.

According to you platform support chart, we added the binaries from the netstandard2.0 folder to the project, same for the binaries of the Simple elliptic curve libraries.

Contacting the domain cdn.reservix.com with TLS 1.3, we get an error validating the certificate with the following ValidationStatus:

IncompleteChain | OfflineRev | UnknownRev

Behind that there is an error in the Handle of the CertificateChain of the SslCertificateValidationEventArgs in the ValidatingCertificate event handler:

Unable to cast object of type "Mono.Debugger.Soft.PointerValue" to type "Mono.Debugger.Soft.PrimitiveValue".

Updating to the .NET Standard 2.1 version did not change anything.

What can we do here?

Applies to: Rebex HTTPS

1 Answer

0 votes
by (148k points)
selected by
 
Best answer

By default, Rebex components on Xamarin.Android use .NET's X509Chain class to validate certificates, which currently uses its own certificate stores, which usually does not work properly.

Please add reference to Rebex.Common.Native.dll and enable NativeCertificteEngine, as described in the following KB article:
HOWTO: HOWTO: Validating X.509 certificates on Xamarin.Android and Xamarin.iOS

by (790 points)
Thank you, that works!
by (220 points)
Hi Lukas,
For me, e.CertificateChain.Validate returns FALSE with the status 'NotTrusted' even after using CertificateEngine.SetCurrentEngine(new NativeCertificateEngine()).

I tried using a few options as well, but the result was the same.

e.CertificateChain.Validate(e.ServerName, ValidationOptions.SkipRevocationCheck | ValidationOptions.IgnoreTimeNotValid | ValidationOptions.IgnoreCnNotMatch)

Any suggestions from your side?


Thanks,
by (148k points)
- On Xamarin platforms, only validation of certificates with RSA keys is supported.
- When using a custom CA, its certificate has to be added to list of trusted CAs of the device.
- The Validate method returns an instance of ValidationResult (https://www.rebex.net/doc/api/Rebex.Security.Certificates.ValidationResult.html). To find out why it returned FALSE, see the contents of Status property.
by (220 points)
Hi Lukas,
Just posting my comment here again instead of creating a new ticket since it is relatable.
I have enabled Validation by making SslAcceptAllCertificates false, but I am not getting any response from the server(it was working earlier). I checked rebex log file, connection is established and it is being validated, but after that nothing happens.
Could you please check Rebex log file and give some hints may be?



2024-10-28 15:10:55.139 DEBUG WebSocketClient(2)[15] TLS: HandshakeMessage:ServerKeyExchange was received.
2024-10-28 15:10:55.141 VERBOSE WebSocketClient(2)[15] TLS: Received TLS packet:
 0000 |16-03-03-01-EA-0D-00-01 E6-03-01-02-40-00-28-04| ............@.(.
 0010 |03-05-03-06-03-08-07-08 08-08-09-08-0A-08-0B-08| ................
 0020 |04-08-05-08-06-04-01-05 01-06-01-03-03-03-01-03| ................
 0030 |02-04-02-05-02-06-02-01 B6-00-54-30-52-31-0B-30| ..........T0R1.0
 0040 |09-06-03-55-04-06-13-02 47-52-31-0F-30-0D-06-03| ...U....GR1.0...
 0050 |55-04-08-0C-06-41-74-74 69-63-61-31-10-30-0E-06| U....Attica1.0..
 0060 |03-55-04-0A-0C-07-51-75 61-6C-74-65-6B-31-0B-30| .U....Qualtek1.0
 0070 |09-06-03-55-04-0B-0C-02 69-53-31-13-30-11-06-03| ...U....iS1.0...
 0080 |55-04-03-0C-0A-50-72-6F 64-75-63-74-20-53-41-00| U....Product SA.
 0090 |55-30-53-31-0B-30-09-06 03-55-04-06-13-02-47-52| U0S1.0...U....GR
 00A0 |31-0F-30-0D-06-03-55-04 08-0C-06-41-74-74-69-63| 1.0...U....Attic
 00B0 |61-31-10-30-0E-06-03-55 04-0A-0C-07-51-75-61-6C| a1.0...U....Qual
 00C0 |74-65-6B-31-0B-30-09-06 03-55-04-0B-0C-02-69-53| tek1.0...U....iS
 00D0 |31-14-30-12-06-03-55-04 03-0C-0B-41-70-70-6C-69| 1.0...U....Appli
 00E0 |61-6E-63-65-53-41-00-52 30-50-31-0B-30-09-06-03| anceSA.R0P1.0...
 00F0 |55-04-06-13-02-47-52-31 0F-30-0D-06-03-55-04-08| U....GR1.0...U..
 0100 |0C-06-41-74-74-69-63-61 31-10-30-0E-06-03-55-04| ..Attica1.0...U.
 0110 |0A-0C-07-51-75-61-6C-74 65-6B-31-0B-30-09-06-03| ...Qualtek1.0...
 0120 |55-04-0B-0C-02-69-53-31 11-30-0F-06-03-55-04-03| U....iS1.0...U..
 0130 |0C-08-53-4D-4D-2D-43-41 2D-41-00-56-30-54-31-0B| ..SMM-CA-A.V0T1.
 0140 |30-09-06-03-55-04-06-13 02-47-52-31-0F-30-0D-06| 0...U....GR1.0..
 0150 |03-55-04-08-0C-06-41-74 74-69-63-61-31-10-30-0E| .U....Attica1.0.
 0160 |06-03-55-04-0A-0C-07-51 75-61-6C-74-65-6B-31-0B| ..U....Qualtek1.
 0170 |30-09-06-03-55-04-0B-0C 02-69-53-31-15-30-13-06| 0...U....iS1.0..
 0180 |03-55-04-03-0C-0C-45-63 6F-73-79-73-74-65-6D-2D| .U....Ecosystem-
 0190 |43-41-00-5B-30-59-31-0B 30-09-06-03-55-04-06-13| CA.[0Y1.0...U...
 01A0 |02-47-52-31-0F-30-0D-06 03-55-04-08-0C-06-41-74| .GR1.0...U....At
 01B0 |74-69-63-61-31-10-30-0E 06-03-55-04-0A-0C-07-51| tica1.0...U....Q
 01C0 |75-61-6C-74-65-6B-31-0B 30-09-06-03-55-04-0B-0C| ualtek1.0...U...
 01D0 |02-69-53-31-1A-30-18-06 03-55-04-03-0C-11-53-65| .iS1.0...U....Se
 01E0 |72-76-69-63-65-2D-41-63 63-65-73-73-2D-43-41   | rvice-Access-CA
2024-10-28 15:10:55.142 DEBUG WebSocketClient(2)[15] TLS: HandshakeMessage:CertificateRequest was received.
2024-10-28 15:10:55.142 VERBOSE WebSocketClient(2)[15] TLS: Received TLS packet:
 0000 |16-03-03-00-04-0E-00-00 00                     | .........
2024-10-28 15:10:55.142 DEBUG WebSocketClient(2)[15] TLS: HandshakeMessage:ServerHelloDone was received.
2024-10-28 15:10:55.143 DEBUG WebSocketClient(2)[15] TLS: Verifying server certificate ('CN="LoDiS#0", C=GR').


Thanks,
by (148k points)
According to the more detailed version of the log you sent via email, the server you are trying to connect to is using a certificate with ECDSA key. Unfortunately, as I wrote above, only RSA certificates are supported on Xamarin platforms. The only way to get it working is to use a custom certificate validator.

However, the most straightforward solution is to use RSA certificates at the server side instead of ECDSA.

Additionally, since Xamarin platforms are now end-of-life and no longer supported by their vendor, another solution to consider is to migrate to .NET 8 / .NET 9. These platforms do support validation of ECDSA certificates on Android and iOS.
by (220 points)
Thanks you for the reply and help, I will check this and update.
...