[Mono-dev] SMTP with SSL, and intermediate certificates

Alexander Köplinger alkpli at microsoft.com
Fri Aug 12 14:05:52 UTC 2016

Correct, mozroots should no longer be required/used.

The cert-sync tool is the recommended approach for populating Mono’s certificate store on Linux now: http://www.mono-project.com/docs/about-mono/releases/3.12.0/#cert-sync
The Xamarin .deb/.rpm packages run this during package installation, if you built Mono from source you need to run it yourself.

TLS1.2 support is still a work in progress as far as I know.

- Alex

On 12/08/16 15:44, "Mono-devel-list on behalf of Edward Ned Harvey (mono)" <mono-devel-list-bounces at lists.dot.net on behalf of edward.harvey.mono at clevertrove.com> wrote:

    > From: Mono-devel-list [mailto:mono-devel-list-bounces at lists.dot.net] On
    > Behalf Of Craig McQueen
    > On a Yocto-built embedded Linux system, we're trying to send e-mails
    > through SMTP with SSL (port 465) or MSA (port 587). We're testing with
    > smtp.gmail.com and smtp.zoho.com. We have code that works fine with
    > Windows. But with Mono, we're getting System.IO.IOException: The
    > authentication or decryption has failed.
    > We've found on the Mono Security FAQ that we need:
    > a) to install root certificates using mozroots or similar.
    > b) to get the intermediate certificates from the SMTPS port 465, using
    > certmgr.
    Historically, the above was necessary, and maybe some of it still is just because you're on an unusual linux system. (The above is automatically done during rpm/deb install, for later versions of red hat and debian/ubuntu). 
    Historically, there were problems with the SSL/TLS classes in mono, in which a mono server would fail to send intermediates to a client, and a mono client would fail to cache any intermediates received from a non-mono server, resulting in mono client being able to talk to non-mono servers, and mono servers being able to talk to non-mono clients, but mono clients couldn't talk to mono servers.
    Much of this should hopefully be history now. First of all, there are ways of making mono use the OS crypto API, rather than use its own classes. I can't tell you exactly how to do that, so if you're interested, start a new thread saying exactly how you try to connect to your server (Are you using HttpClient?), and ask if that's using the old mono classes or the OS API, and ask if there's a different constructor you can use (or something) that would force the use of the OS API. (For example, using ModernHttpClient instead?)
    Also, I've heard, but haven't personally checked or tested, that mono is now using the microsoft TLS stack, including full support for TLS 1.2. So before anything else, try updating to the very latest stable version of mono, and see if that solves your problem.
    Mono-devel-list mailing list
    Mono-devel-list at lists.dot.net

More information about the Mono-devel-list mailing list