[Mono-dev] SMTP with SSL, and intermediate certificates

Edward Ned Harvey (mono) edward.harvey.mono at clevertrove.com
Fri Aug 12 13:44:24 UTC 2016


> From: Mono-devel-list [mailto:mono-devel-list-bounces at lists.dot.net] On
> Behalf Of Craig McQueen
> 
> On a Yocto-built embedded Linux system, we're trying to send e-mails
> through SMTP with SSL (port 465) or MSA (port 587). We're testing with
> smtp.gmail.com and smtp.zoho.com. We have code that works fine with
> Windows. But with Mono, we're getting System.IO.IOException: The
> authentication or decryption has failed.
> 
> We've found on the Mono Security FAQ that we need:
> 
> a) to install root certificates using mozroots or similar.
> b) to get the intermediate certificates from the SMTPS port 465, using
> certmgr.

Historically, the above was necessary, and maybe some of it still is just because you're on an unusual linux system. (The above is automatically done during rpm/deb install, for later versions of red hat and debian/ubuntu). 

Historically, there were problems with the SSL/TLS classes in mono, in which a mono server would fail to send intermediates to a client, and a mono client would fail to cache any intermediates received from a non-mono server, resulting in mono client being able to talk to non-mono servers, and mono servers being able to talk to non-mono clients, but mono clients couldn't talk to mono servers.

Much of this should hopefully be history now. First of all, there are ways of making mono use the OS crypto API, rather than use its own classes. I can't tell you exactly how to do that, so if you're interested, start a new thread saying exactly how you try to connect to your server (Are you using HttpClient?), and ask if that's using the old mono classes or the OS API, and ask if there's a different constructor you can use (or something) that would force the use of the OS API. (For example, using ModernHttpClient instead?)

Also, I've heard, but haven't personally checked or tested, that mono is now using the microsoft TLS stack, including full support for TLS 1.2. So before anything else, try updating to the very latest stable version of mono, and see if that solves your problem.


More information about the Mono-devel-list mailing list