Mutual Authentication: Certificate chain removed when connecting to server in MAUI app but not Xamarin Forms

[vsfeedback]

This issue has been moved from a ticket on Developer Community.

---

Hi,

When connecting to the server but running the code using Xamarin Forms, the server received the full certificate chain.
Using MAUI .Net 7 or 8.0, only the client certificate is sent to the server. Certificate chain is empty.
Same certificate and server are used.

In HttpWebRequest ServerCertificateValidationCallback, chain.ChainElements is empty.
Certificate received by the server is valid.

Does anyone knows how to fix this?

Here's a snippet on the client:

HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);

req.ServerCertificateValidationCallback = ValidateServerCertificate;
req.ProtocolVersion = HttpVersion.Version11;
req.ClientCertificates = certificates;
req.Method = "GET";
req.Accept = "text/plain";
req.KeepAlive = false;
...

private static bool ValidateServerCertificate(object sender, X509Certificate? certificate, X509Chain? chain, SslPolicyErrors sslPolicyErrors)
{

}

---

Original Comments

Feedback Bot on 2/12/2024, 05:46 PM:

(private comment, text removed)

---

Original Solutions

(no solutions)

[ManickaP]

I'm a bit confused, where is the chains missing? ServerCertificateValidationCallback is for server certificate. ClientCertificates is for sending client certificate to the server. So on which side is the problem?

Also if you're on .NET 7/8, why are you using HttpWebRequest instead of HttpClient? We do not recommend HttpWebRequest for any new development, it's there only for backward compat and easier transition from .NET Framework. It has limited set of features and doesn't get any new development.

[NexusMobile]

The missing chains is at the server. Server receives only chain[0]. All the other certificates in the chain are not provided.
Using httpClient provides the same result at the server. Only the client cert is sent.
In the ValidateServerCertificate callback function, chain.ChainElement.Count = 0 that confirms chain is not sent.
This happen using Net6 and Net8 apps.

Using Xamarin Forms app with httpClient or HttpWebRequest both send the full chain of certificate to the server

[ManickaP]

Can you provide us with a repro code? Preferably for both sides? Also if you have a working code, could you share that as well?

Using httpClient provides the same result at the server. Only the client cert is sent.

You can use HttpClient in a server code, but it is still in the role of a client in some other communication with another server. So some of the description still confuses me.

[NexusMobile]

Hi,

Client code snippet:

/* ************ */
.
.
.

var httpClientHandler = new HttpClientHandler();

httpClientHandler.ClientCertificateOptions = ClientCertificateOption.Manual;
httpClientHandler.SslProtocols = SslProtocols.Tls12;
httpClientHandler.ServerCertificateCustomValidationCallback = ValidateServerCertificate;

/* clientCert contains client CA certificates
httpClientHandler.ClientCertificates.Add(clientCert);

HttpClient httpClient = new HttpClient(httpClientHandler);

var username = "test@xxxx.com";
var password = "123456";

string encoded = Convert.ToBase64String(Encoding.GetEncoding("ISO-8859-1").GetBytes(username + ":" + password));
httpClient.DefaultRequestHeaders.Add("Authorization", "Basic " + encoded);
httpClient.DefaultRequestHeaders.Add("Accept", "text/plain");

httpClient.BaseAddress = new Uri("https://192.168.0.109:8443");

HttpResponseMessage response = await httpClient.GetAsync(****URL****);
var jsonResponse = await response.Content.ReadAsStringAsync();
Console.WriteLine($"{jsonResponse}\n");
.
.
.

private static bool ValidateServerCertificate(object sender, X509Certificate? certificate, X509Chain? chain, SslPolicyErrors  slPolicyErrors)
{
               if (chain != null)
                   Console.WriteLine("chain: {0}", chain.ChainElements.Count); 
               // Printed value is: [DOTNET] chain: 0
               // Same code running in Xamarin Froms, printed value is: chain: 4
               return true;
}

/* ************ */

At the server, we get the same result in ssl handshake function as above regarding certificate chain received from client:
Chain count of 0 and chain count of 4.

BTW, this is a mutual authentication SSL handshake using private CA

Does it help understand the issue?

Regards

[ManickaP]

So the problem is in provided server certificate chain do the validation callback and that it differs based on what platform you compile for? And you claim this difference is between Xamarin Forms and MAUI? Isn't Xamarin foundation of MAUI?

@simonrozsival do you know of any difference there?

[NexusMobile]

The problem is to provide certificate chain from the client to the server.
From the sample provided above the client does not send the certificate chain to the server.
It works using Xamarin Forms but not using MAUI net 8.0 on Android
I don't understand your last question: Isn't Xamarin foundation of MAUI?
How can I tell?
We are using VS 2022 17.9.5 testing on both platform.

[simonrozsival]

@NexusMobile can you please try setting <UseNativeHttpHandler>false</UseNativeHttpHandler> in your csproj file and try again? I believe the support for client certificates in Android's native message handler is not working as expected (dotnet/android#7274).

[NexusMobile]

false already in csproj file to fix httpClientHandler.ClientCertificates being null without it.

[NexusMobile]

While building project using Xamarin Forms it works fine without <UseNativeHttpHanlder>false<\UseNativeHttpHanlder>
Building a MAUI project with .Net8 using the setting above solve only httpClientHanlder.ClientCertificates not being null and have the client send his certificate (without the chain) to the server.

[simonrozsival]

I see. I originally misread the issue and I thought the problem is with sending the client certificate to the server. The problem actually is that the server's certificate chain doesn't seem to be passed to the ServerCertificateValidationCallback on the client correctly.

Isn't Xamarin foundation of MAUI?

Xamarin.Forms and MAUI have different implementation of the networking layer. Xamarin.Forms uses BoringSSL or OpenSSL and MAUI/.NET 8 on Android uses Android's platform APIs.