#1147 2.23 fails to connect to https on Linux

KeePass_2.x
closed
nobody
None
5
2016-01-21
2013-07-30
No

KeePass 2.23 fails completely to open secured https url on Linux. Gives error:

Error getting response stream (Write: the authentication or decryption has failed.): SendFailure.

This occurs immediately after supplying credentials but before Master password / key. It renders the product unusable. This bug was not present in 2.22.

Discussion

  • Stephen Parry

    Stephen Parry - 2013-07-30

    Should clarify: this affects Ubuntu 12.04 and 13.04, using jtaylor ppa to install.

     
  • Stephen Parry

    Stephen Parry - 2013-07-30

    Workaround supplied by Julian Taylor. Setting the option for allow invalid cert options (Tools -> Options -> Advanced -> File Input/Output Connections -> Accept invalid SSL certificates...) allows the url to be opened. Both certificates are valid, up to date, commercially issued RapidSSL certs fully recognised by Firefox, gnupg etc, so this suggests a problem in cert or root cert verification.

     
  • Dominik Reichl

    Dominik Reichl - 2013-08-04
    • status: open --> closed
    • Priority: 1 --> 5
     
  • Dominik Reichl

    Dominik Reichl - 2013-08-04

    When the option is disabled, KeePass uses the default certificate validation method provided by the framework. If it doesn't work, it's a Mono bug.

    Best regards,
    Dominik

     
  • Stephen Parry

    Stephen Parry - 2013-08-06

    No, this worked fine on 2.22, and mono hasn't changed on either versions of Ubuntu I run. Therefore unless 2.22 ignored errors by default, this must be a bug in KeePass.

     
  • Dominik Reichl

    Dominik Reichl - 2013-08-06

    KeePass 2.22 did not validate SSL certificates. KeePass 2.23 does validate them by default, but you can turn it off using the option.

    Best regards,
    Dominik

     
  • Stephen Parry

    Stephen Parry - 2013-08-06

    Thanks, that clarifies things. I now know where the problem lies and have fixed. For everyone's benefit, here's the deal:

    Mono uses it's own cert store, which is initially empty. To make it function you need to use the mozroots program to import certificates into the mono cert store. This is only available in mono-devel package on ubuntu - this nightmare downloads 119 other packages. However you can download the deb manually and extract and run the files manually thus:

    mkdir deb-mono-devel
    apt-get download mono-devel
    dpkg --extract mono-devel*.deb deb-mono-devel
    mono deb-mono-devel/usr/lib/mono/4.0/mozroots.exe --import --sync

    The last command may need some tweaking if your system is not mono 4.0.

     
    Last edit: Stephen Parry 2013-08-06
  • Arjan

    Arjan - 2014-08-11

    Thanks Stephen, this fixed the problem for me. On mono-complete 3.2.8+dfsg-4ubuntu1 (default on Ubuntu 14.04) I had to use this location:

    mono deb-mono-devel/usr/lib/mono/4.5/mozroots.exe --import --sync

     
    Last edit: Arjan 2014-08-11
  • rssreaderasw

    rssreaderasw - 2014-08-21

    Thanks Dominik, Stephen and Arjan, it was helpfull.
    Additional info for others: If you need to cooperate with selfsigned cerificate (not listed in mozilla) you can add certificate from your server by this command:

    mono deb-mono-devel/usr/lib/mono/4.5/certmgr.exe -ssl https://yourserver.com

     
  • Renaud Delcoigne

    Hello, I got the same issue (Ubuntu 14.10, Keepass 2.29 from jtaylor).

    I try to connect in https from my uncertified domain but got the error described in the OP.

    Allowing invalid certificates in the settings doesn't resolve the issue.

    I extracted mono-devel as described by Stephen and tried to add the certificate like rssreaderasw explained but got this error:

    $ mono deb-mono-devel/usr/lib/mono/4.5/certmgr.exe -ssl https://mysite
    Mono Certificate Manager - version 3.2.8.0
    Manage X.509 certificates and CRL from stores.
    Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

    Unhandled Exception:
    System.IO.IOException: The authentication or decryption has failed. ---> System.NullReferenceException: Object reference not set to an instance of an object
    at Mono.Security.Protocol.Tls.CipherSuite.createEncryptionCipher () [0x00000] in <filename unknown="">:0
    at Mono.Security.Protocol.Tls.CipherSuite.InitializeCipher () [0x00000] in <filename unknown="">:0
    at Mono.Security.Protocol.Tls.SslClientStream.OnNegotiateHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown="">:0
    at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown="">:0
    --- End of inner exception stack trace ---
    at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown="">:0
    [ERROR] FATAL UNHANDLED EXCEPTION: System.IO.IOException: The authentication or decryption has failed. ---> System.NullReferenceException: Object reference not set to an instance of an object
    at Mono.Security.Protocol.Tls.CipherSuite.createEncryptionCipher () [0x00000] in <filename unknown="">:0
    at Mono.Security.Protocol.Tls.CipherSuite.InitializeCipher () [0x00000] in <filename unknown="">:0
    at Mono.Security.Protocol.Tls.SslClientStream.OnNegotiateHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown="">:0
    at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown="">:0
    --- End of inner exception stack trace ---
    at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown="">:0

    ...

    It's too bad, I can't access my database from Linux, but I got no problem with Windows and even Android !

    I think I'm stuck here !

    Is there any other solution ?

    Thanks in advance !

    Renaud

     
  • Paul

    Paul - 2015-05-11

    Have you tried turning off validation?
    (Tools -> Options -> Advanced -> File Input/Output Connections -> Accept invalid SSL certificates...)

    cheers, Paul

    p.s. Posting in closed bug reports is not ideal. Opening a new topic in Discussion > Help and then referencing this bug is better.

     
  • Renaud Delcoigne

    Yes, I turned off validation, as I did on my Windows installation, but it didn't help ...

    Thanks for the advice, I will open a new topik :)

    Renaud.

     
  • poruko

    poruko - 2016-01-21

    I can confirm this bug, but it's most likely a serious bug in mono.

    Upon upgrade to Ubuntu Wily - which provides mono 3.2.8, I am no longer able to access my keepass files over https with a self-signed certificate using KeePass 2 (version 2.31). I do have the option to accept invalid certificates selected. This was working flawlessly prior to the upgrade. I can access the same file directly over https using any browser on the same server. I can also access it using KeePass on Windows and Android.

    Following the following bug report http://sourceforge.net/p/keepass/bugs/1466/ I have tried

    mono deb-mono-devel/usr/lib/mono/4.5/mozroots.exe --import --sync

    which completed successfully, and also

    mono deb-mono-devel/usr/lib/mono/4.5/certmgr.exe -ssl https://myserver.../

    The latter failed with the following - which is most likely the root cause of the problem:

    Unhandled Exception:
    System.IO.IOException: The authentication or decryption has failed. ---> System.NullReferenceException: Object reference not set to an instance of an object
    at Mono.Security.Protocol.Tls.CipherSuite.createEncryptionCipher () [0x00000] in <filename unknown="">:0
    at Mono.Security.Protocol.Tls.CipherSuite.InitializeCipher () [0x00000] in <filename unknown="">:0
    at Mono.Security.Protocol.Tls.SslClientStream.OnNegotiateHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown="">:0
    at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown="">:0
    --- End of inner exception stack trace ---
    at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown="">:0
    [ERROR] FATAL UNHANDLED EXCEPTION: System.IO.IOException: The authentication or decryption has failed. ---> System.NullReferenceException: Object reference not set to an instance of an object
    at Mono.Security.Protocol.Tls.CipherSuite.createEncryptionCipher () [0x00000] in <filename unknown="">:0
    at Mono.Security.Protocol.Tls.CipherSuite.InitializeCipher () [0x00000] in <filename unknown="">:0
    at Mono.Security.Protocol.Tls.SslClientStream.OnNegotiateHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown="">:0
    at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown="">:0
    --- End of inner exception stack trace ---
    at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown="">:0

    UPDATE: I have just realised that the version of mono installed did not change in the upgrade from Ubuntu Vivid and Wily - so I am less clear about what the root cause of the problem is now.

    UPDATE: I installed the mono-devel package - which appears to somehow have been deselected during the upgrade - and it is all working flawless for me again. So, there is a bug in the KeePass package for Ubuntu: It should have mono-devel (or whatever library is needed from within it) as a dependency so that the application works as intended.

     
    Last edit: poruko 2016-01-21
  • Paul

    Paul - 2016-01-21

    It's more likely a change in mono that now requires mono-dev to perform the same functionality.

    cheers, Paul

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks