gistfile1.txt

MonoTouch's certificate trust decision is delegate to iOS itself. However it
might not match Safari 100% of the time since it seems that Safari does a bit
of processing when some things are missing.

The 0x5 code being returned maps to kSecTrustResultRecoverableTrustFailure.
This means the trust could not be confirmed but that it _could_ be fixed (i.e.
it's not refused, but not complete enough to be accepted either).

This can happen for several reasons. In this case it seems* related to a
missing intermediate CA certificate. The https server is not configured to
return the whole certificate chain (it only returns it's own certificate**) so
insuffisant data is available for iOS to return a success code (hence the 0x5).

The easiest/fastest fix would be to update the server configuration as it
would:

- likely fix this issue (and confirm my suspicion);

- make the network access faster (by not having to issue another HTTP request
to get the intermediate certificate); and

- ensure that the trust can be confirmed even if the 3rd party server (where we
could download the certificate) is unavailable.


* sadly iOS does not support some API that would describe the issue, I'll try
to confirm this from OSX (which, hopefully, should behave identically).

** this is ok RFC-wise but it's not the default for most servers (mostly for
the above reasons)