[Mono-dev] SMTP with SSL, and intermediate certificates

Brandon Perry bperry.volatile at gmail.com
Fri Aug 12 14:15:08 UTC 2016


I recently had to deal with a similar issue, but ended up with a ridiculous solution that can’t be put into production.

I set up a proxy between the mono app like Burpsuite or another transparent proxy (that can do SMTP in your case) that will happily negotiate a TLS v1.0 connection for the client and a TLS v1.1/1.2 connection for the server.

Hope it helps.

> On Aug 12, 2016, at 9:05 AM, Alexander Köplinger via Mono-devel-list <mono-devel-list at lists.dot.net> wrote:
> 
> Correct, mozroots should no longer be required/used.
> 
> The cert-sync tool is the recommended approach for populating Mono’s certificate store on Linux now: http://www.mono-project.com/docs/about-mono/releases/3.12.0/#cert-sync
> The Xamarin .deb/.rpm packages run this during package installation, if you built Mono from source you need to run it yourself.
> 
> TLS1.2 support is still a work in progress as far as I know.
> 
> - Alex
> 
> 
> On 12/08/16 15:44, "Mono-devel-list on behalf of Edward Ned Harvey (mono)" <mono-devel-list-bounces at lists.dot.net on behalf of edward.harvey.mono at clevertrove.com> wrote:
> 
>> From: Mono-devel-list [mailto:mono-devel-list-bounces at lists.dot.net] On
>> Behalf Of Craig McQueen
>> 
>> On a Yocto-built embedded Linux system, we're trying to send e-mails
>> through SMTP with SSL (port 465) or MSA (port 587). We're testing with
>> smtp.gmail.com and smtp.zoho.com. We have code that works fine with
>> Windows. But with Mono, we're getting System.IO.IOException: The
>> authentication or decryption has failed.
>> 
>> We've found on the Mono Security FAQ that we need:
>> 
>> a) to install root certificates using mozroots or similar.
>> b) to get the intermediate certificates from the SMTPS port 465, using
>> certmgr.
> 
>    Historically, the above was necessary, and maybe some of it still is just because you're on an unusual linux system. (The above is automatically done during rpm/deb install, for later versions of red hat and debian/ubuntu).
> 
>    Historically, there were problems with the SSL/TLS classes in mono, in which a mono server would fail to send intermediates to a client, and a mono client would fail to cache any intermediates received from a non-mono server, resulting in mono client being able to talk to non-mono servers, and mono servers being able to talk to non-mono clients, but mono clients couldn't talk to mono servers.
> 
>    Much of this should hopefully be history now. First of all, there are ways of making mono use the OS crypto API, rather than use its own classes. I can't tell you exactly how to do that, so if you're interested, start a new thread saying exactly how you try to connect to your server (Are you using HttpClient?), and ask if that's using the old mono classes or the OS API, and ask if there's a different constructor you can use (or something) that would force the use of the OS API. (For example, using ModernHttpClient instead?)
> 
>    Also, I've heard, but haven't personally checked or tested, that mono is now using the microsoft TLS stack, including full support for TLS 1.2. So before anything else, try updating to the very latest stable version of mono, and see if that solves your problem.
>    _______________________________________________
>    Mono-devel-list mailing list
>    Mono-devel-list at lists.dot.net
>    http://lists.dot.net/mailman/listinfo/mono-devel-list
> 
> 
> 
> _______________________________________________
> Mono-devel-list mailing list
> Mono-devel-list at lists.dot.net
> http://lists.dot.net/mailman/listinfo/mono-devel-list

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.dot.net/pipermail/mono-devel-list/attachments/20160812/4e0c1363/attachment-0001.sig>


More information about the Mono-devel-list mailing list