The remote certificate is invalid according to the validation procedure

UserUnity · 2015-09-22T16:28:38.715Z

Hello,

We have an MVC project using OWIN Framework to allow our users to authenticate using Twitter.
However starting today, we have been getting this exception when trying to authenticate:

System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

Can you please advise if there has been any certificate changes recently? and if so, what is the impact on the Twitter API calls?
Also please advise of the method to resolve this issue in our application.

Regards,
Lavina

rlamfink · 2015-09-22T17:26:31.051Z

I have an api app that’s been running fine for years and starting this weekend, users are getting 500 Not Found errors in my Oauth sequence.
Investigation indicates a certificate problem on Twitter’s end causing an RSA related com process on the server to fail.

andypiper · 2015-09-22T19:03:07.284Z

In both of these cases, can you provide any more detail?

@UserUnity - what API endpoint are you connecting to? I’m not familiar with the OWIN Framework.
@rlamfink - same question, and what library are you using?

Twitter API endpoints support SHA-256 as required by Apple’s App Transport Security in iOS 9, so this may require any underlying libraries used in your code to support similar levels of TLS encryption.

rlamfink · 2015-09-23T12:24:48.556Z

Thanks for pointing me in the right direction, Andy!

UserUnity · 2015-09-23T13:42:23.980Z

can you please share how you resolved the problem?

rlamfink · 2015-09-23T14:06:45.507Z

Have not resolved yet. My library doesn’t support SHA256 encryption.

pocohablador · 2015-09-24T08:08:40.460Z

Same problem here. MVC application using Microsoft.Owin.Security.Twitter for a while working fine and since yesterday I’m getting this error too! Please advice!! :S

andypiper · 2015-09-24T14:14:51.915Z

pocohablador:

Microsoft.Owin.Security.Twitter

Unfortunately I’m unable to locate the source code for that library so I’m unable to check whether it supports SHA256. Do you know who owns that code / have any means to feed back to them that it needs to be upgraded?

thereformedprog · 2015-09-24T14:27:03.413Z

Hi,

I noticed this problem today when debugging my MVC 5 web app. I haven’t logged in using Twitter for a while so I am not sure when it started.

I don’t know if it helps but the web app running in debug mode on my desktop gives the error “The remote certificate is invalid according to the validation procedure” but the same application running on Microsoft’s Azure Cloud the login works (strange!).

Not sure what that proves, but it is an interesting observation. Does that help? I could do with a solution too.

thereformedprog · 2015-09-24T14:31:39.728Z

andypiper:

Microsoft.Owin.Security.Twitter

It is owned by Microsoft, and I believe they have made the code ‘open’ (some limitations). If you follow the NuGet signature you get to http://katanaproject.codeplex.com/.

The actual code I think is here.

pocohablador · 2015-09-24T14:36:02.907Z

Hi Andy, I was about to tell you the library comes from Microsoft and I’ve seen you last post. I’m not an expert on owin security by any means so… what do you suggest I can do to fix this?

andypiper · 2015-09-24T15:29:36.099Z

Difficult to know at first glance - it is unclear where the lack of TLS 1.2 / SHA256 lies here, whether in an underlying bundled library, transport level, etc. I’d imagine others using the same library are having issues so hopefully the owners of the code can fix it soon, since the web and mobile apps are increasingly moving to more secure protocols.

pocohablador · 2015-09-24T15:54:30.929Z

What if they don’t? Any other library you know I could use?

andypiper · 2015-09-25T01:17:08.020Z

I’m not familiar enough with the .NET family of libraries to be able to advise you at this time.

rlamfink · 2015-09-25T14:17:54.729Z

I came across this also. Once you have SHA256 working, Twitter security protocol requires root certificates for Twitter’s certificate vendors, DigiCert and Verisign to be installed in the server trusted root CA file.

https://dev.twitter.com/overview/api/ssl

thereformedprog · 2015-09-30T19:33:10.616Z

Hi Andy,

I updated my post to show a rather strange behaviour. trying to use Twitter login on a locally run application throws the error ‘remote certificate…’ but the same application running on Azure allows the login, but then fails. Is it something to do with running on SSL?

UPDATE

Hi @andypiper,

I found there is a new version of the .NET libraries concerning OAuth and I updated to that. That has done the trick when running on the Microsoft Azure platform, which is what matters. I still have a problem when I run locally for development, but I can live with that. Maybe its something to do with no SSL link, as the message is Could not establish trust relationship for the SSL/TLS secure channel.

rlamfink · 2015-10-06T12:27:45.630Z

Andy,
Heeeelllllpppppp! I have enabled SHA256 in my library and I can now communicate and get back a struct with an error. Everything I can find about it says it’s a problem with the certificate chain. Root, intermediate and site certs are installed in the server keystore, but still getting the same error. “I/O Exception: peer not authenticated”.
Any ideas?

andypiper · 2015-10-06T12:37:43.018Z

I’m sadly not a specialist in this stuff so I don’t know for sure. What language are we talking about here - this thread started off discussing .NET but I’m not sure what you’re using.

I will see what I can do to clarify the documentation on our side if there are omissions.

rlamfink · 2015-10-06T14:02:25.712Z

Ok, my hosting provider has stopped its finger pointing, and has finally determined that it’s a problem in their setup. Awaiting the solution. Thanks, Andy!

rlamfink · 2015-10-07T21:04:55.335Z

The final solution was to migrate away from my provider’s Windows/IIS/Coldfusion/SQL Server environment, and reconfigure the site on a new provider’s Ubuntu/Apache/Railo/MySQL stack. Easily imported the certificate chain to fix the original problem. Works great now, and this hosting arrangement is much less costly!