Enable X509_V_FLAG_TRUSTED_FIRST flag in BoringSSL

[marxin]

Right now, mono can't handle the new Let's Encrypt certificate:
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

It's related to BoringSSL and one of the fixed can be seen here:
electron/electron#31213

Reproducer:

csharp -e 'new System.Net.WebClient ().DownloadString ("https://seznam.cz")'
System.Net.WebException: Error: TrustFailure (Authentication failed, see inner exception.) ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
  at /home/abuild/rpmbuild/BUILD/mono-6.12.0.107/external/boringssl/ssl/handshake_client.c:1132
  at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00048] in <83dd749384734033afca92f4cfac782c>:0 
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000da] in <83dd749384734033afca92f4cfac782c>:0 
  at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)
  at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00006] in <83dd749384734033afca92f4cfac782c>:0 
  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000fc] in <83dd749384734033afca92f4cfac782c>:0 
   --- End of inner exception stack trace ---
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Boolean runSynchronously, Mono.Net.Security.MonoSslAuthenticationOptions options, System.Threading.CancellationToken cancellationToken) [0x00262] in <83dd749384734033afca92f4cfac782c>:0 
  at Mono.Net.Security.MonoTlsStream.CreateStream (System.Net.WebConnectionTunnel tunnel, System.Threading.CancellationToken cancellationToken) [0x0016a] in <83dd749384734033afca92f4cfac782c>:0 
  at System.Net.WebConnection.CreateStream (System.Net.WebOperation operation, System.Boolean reused, System.Threading.CancellationToken cancellationToken) [0x001ba] in <83dd749384734033afca92f4cfac782c>:0 
   --- End of inner exception stack trace ---
  at System.Net.WebConnection.CreateStream (System.Net.WebOperation operation, System.Boolean reused, System.Threading.CancellationToken cancellationToken) [0x0021a] in <83dd749384734033afca92f4cfac782c>:0 
  at System.Net.WebConnection.InitConnection (System.Net.WebOperation operation, System.Threading.CancellationToken cancellationToken) [0x00141] in <83dd749384734033afca92f4cfac782c>:0 
  at System.Net.WebOperation.Run () [0x0009a] in <83dd749384734033afca92f4cfac782c>:0 
  at System.Net.WebCompletionSource`1[T].WaitForCompletion () [0x00094] in <83dd749384734033afca92f4cfac782c>:0 
  at System.Net.HttpWebRequest.RunWithTimeoutWorker[T] (System.Threading.Tasks.Task`1[TResult] workerTask, System.Int32 timeout, System.Action abort, System.Func`1[TResult] aborted, System.Threading.CancellationTokenSource cts) [0x000f8] in <83dd749384734033afca92f4cfac782c>:0 
  at System.Net.HttpWebRequest.GetResponse () [0x00016] in <83dd749384734033afca92f4cfac782c>:0 
  at System.Net.WebClient.GetWebResponse (System.Net.WebRequest request) [0x00000] in <83dd749384734033afca92f4cfac782c>:0 
  at System.Net.WebClient.DownloadBits (System.Net.WebRequest request, System.IO.Stream writeStream) [0x000e6] in <83dd749384734033afca92f4cfac782c>:0 
  at System.Net.WebClient.DownloadDataInternal (System.Uri address, System.Net.WebRequest& request) [0x00061] in <83dd749384734033afca92f4cfac782c>:0 
  at System.Net.WebClient.DownloadString (System.Uri address) [0x00011] in <83dd749384734033afca92f4cfac782c>:0 
  at System.Net.WebClient.DownloadString (System.String address) [0x00008] in <83dd749384734033afca92f4cfac782c>:0 
  at <InteractiveExpressionClass>.Host (System.Object& $retval) [0x00006] in <1d026ac8413d497c85986767e073f772>:0 
  at Mono.CSharp.Evaluator.Evaluate (System.String input, System.Object& result, System.Boolean& result_set) [0x00038] in <dc18f8c1f3e14d9a83758fe12bb22a10>:0 
  at Mono.CSharpShell.Evaluate (System.String input) [0x00000] in <a01f5168c3824ddfb7cf74041d74890a>:0 

[sisso]

Related
#19886

[sisso]

For now the only workaround I found was to blacklist the X3 certificate:

sed -i 's#mozilla/DST_Root_CA_X3.crt#!mozilla/DST_Root_CA_X3.crt#' /etc/ca-certificates.conf && update-ca-certificates

[marxin]

Note there's openSSL code that has it changed:
https://github.com/openssl/openssl/blob/master/crypto/x509/x509_vpm.c#L509

[PredatH0r]

Using the flag mentioned in the subject is not really a fix. It works for some cases, but does not work for others:
https://bugs.chromium.org/p/boringssl/issues/detail?id=439&sort=-modified&q=&can=1

The bottom of the issue is that Mono uses an old fork of BoringSSL, which is a fork of OpenSSL 1.0 and includes a broken chain validator that isn't even used by Chrome/Chromium (who are the creators/maintainers of BoringSSL).

My Xamarin/Android application runs on Mono, which uses BoringSSL for the System.Net.WebClient class and depending on the Xamarin project options for HttpClient and TLS implemention, by the System.Net.HttpClient class.
The use of BoringSSL can only be avoided by migrating code from WebClient to HttpClient and then forcing the use the native AndroidClientHandler, but that comes with other problems:

• locks out devices below Android 4.1
• does not support the ServerCertificateValidationCallback, which I need to accept the "ISRG Root X1" cert on Android devices < 7.1.1 and to accept pinned self-signed certificates

[PhonicUK]

I'm just +1ing this. Completely unable to talk to anything that's using a LetsEncrypt certificate right now without the workaround Sisso mentioned to remove the expired certificate.

[merkys7]

+1 important issue

[steveisok]

We'll take a look and see what we can do.

[PredatH0r]

Thanks for taking care of this.
Please be aware of the note made here: https://boringssl.googlesource.com/boringssl/+/8f5eb80b810ff63d14ad3535cb16f7cb8271a4f5

Changing this flag alone only trades one error scenario for another.
A real fix should ignore paths with expired certificates and continue validating available alternative paths.
IMO the mentioned flag should only be a hint for the implementation, but shouldn't effect the outcome.

[akoeplinger]

@PredatH0r it should fix the current Let's Encrypt breakage though and the commit note you linked mentions:

Update-Note: X509_verify_cert will now build slightly different chains
by default. Hopefully, this fixes more issues than it causes, but there
is a risk of trusted_first breaking other scenarios. Those scenarios
will also break OpenSSL 1.1.x defaults, so hopefully this is fine.

I don't think there's much else we can do here and medium-term we're no longer using BoringSSL in .NET 6 anymore.