[Mono-dev] Open source .Net, and TLS 1.1 & 1.2

Edward Ned Harvey (mono) edward.harvey.mono at clevertrove.com
Tue Dec 9 20:21:16 UTC 2014


> From: Miguel de Icaza [mailto:miguel at xamarin.com]
> 
> .NET's implementation of the TLS stack is built on top of native code, so it
> wont work on Mono.
> 
> We have implemented TLS 1.1 and 1.2 on top of the not yet open sourced
> networking stack and will be publishing it as soon as Microsoft open sources
> the .NET networking stack.

Great news, thank you!  A follow-up question:

In the current released version of mono SslStream, if the server uses a cert that is signed by an intermediate chain, *and* a mono SslStream client connects, then the client rejects the cert.  The root cause is because the server does not send the intermediate chain to the client, and the client fails to construct the chain.  The behavior is specifically a mono-mono incompatibility - If either the server or the client is .Net, then the problem does not occur, because a windows server sends the chain to the client, and a windows client performs guerilla tactics to construct an incomplete chain.

So the question is, how could it be possible to add a test for this behavior, presuming it will some day get fixed and then we don't want it to happen again? 

I can easily enough write example code to demonstrate the problem.  But then there's a question about what cert to use for demonstration purposes - it's probably best to create a junk CA with intermediate cert, and some junk server cert.  I could easily enough publish those certs somewhere and/or hard-code them into the demonstration code, with something like 30 year validity.


More information about the Mono-devel-list mailing list