[Mono-dev] SMTP with SSL, and intermediate certificates

Craig McQueen craig.mcqueen at innerrange.com
Tue Aug 16 06:49:06 UTC 2016

Thanks for the feedback--much appreciated. The short answer is, it seems to be fixed in mono 4.4.0. The rest of the info below is just in case anyone might be interested in further details.

> On 12/08/16 15:44, "Mono-devel-list on behalf of Edward Ned Harvey
> (mono)" <mono-devel-list-bounces at lists.dot.net on behalf of
> edward.harvey.mono at clevertrove.com> wrote:
>     > From: Mono-devel-list [mailto:mono-devel-list-bounces at lists.dot.net]
> On
>     > Behalf Of Craig McQueen
>     >
>     > On a Yocto-built embedded Linux system, we're trying to send e-mails
>     > through SMTP with SSL (port 465) or MSA (port 587). We're testing with
>     > smtp.gmail.com and smtp.zoho.com. We have code that works fine with
>     > Windows. But with Mono, we're getting System.IO.IOException: The
>     > authentication or decryption has failed.
>     >
>     > We've found on the Mono Security FAQ that we need:
>     >
>     > a) to install root certificates using mozroots or similar.
>     > b) to get the intermediate certificates from the SMTPS port 465, using
>     > certmgr.
>     Historically, the above was necessary, and maybe some of it still is just
> because you're on an unusual linux system. (The above is automatically done
> during rpm/deb install, for later versions of red hat and debian/ubuntu).

I tried on an Ubuntu 16.04 PC (mono 4.2.1), and I still couldn't do SMTP through port 587 unless I separately downloaded the intermediate certificates through port 465. So it seems it's a problem with mono in general, not just my embedded Linux system with Yocto.

>     Historically, there were problems with the SSL/TLS classes in mono, in
> which a mono server would fail to send intermediates to a client, and a mono
> client would fail to cache any intermediates received from a non-mono
> server, resulting in mono client being able to talk to non-mono servers, and
> mono servers being able to talk to non-mono clients, but mono clients
> couldn't talk to mono servers.

In our case it's our mono client, trying to talk to GMail which I guess is not a mono server.

>     Much of this should hopefully be history now. First of all, there are ways of
> making mono use the OS crypto API, rather than use its own classes. I can't
> tell you exactly how to do that, so if you're interested, start a new thread
> saying exactly how you try to connect to your server (Are you using
> HttpClient?), and ask if that's using the old mono classes or the OS API, and
> ask if there's a different constructor you can use (or something) that would
> force the use of the OS API. (For example, using ModernHttpClient instead?)

I don't think that's applicable for our case. We're just trying to use the System.Net.Mail.SmtpClient with System.Net.Mail.MailMessage.

>     Also, I've heard, but haven't personally checked or tested, that mono is
> now using the microsoft TLS stack, including full support for TLS 1.2. So before
> anything else, try updating to the very latest stable version of mono, and see
> if that solves your problem.

I've tried mono 4.4.0, and that seems to fix the issue. It Just Works™, which is good news.

Alexander Köplinger wrote:
> Sent: Saturday, 13 August 2016 12:06 AM
> To: Edward Ned Harvey (mono) <edward.harvey.mono at clevertrove.com>;
> Craig McQueen <craig.mcqueen at innerrange.com>; mono-devel-
> list at lists.dot.net
> Cc: Steve Mitchell <stevem at innerrange.com>
> Subject: Re: [Mono-dev] SMTP with SSL, and intermediate certificates
> Correct, mozroots should no longer be required/used.
> The cert-sync tool is the recommended approach for populating Mono’s
> certificate store on Linux now: http://www.mono-project.com/docs/about-
> mono/releases/3.12.0/#cert-sync
> The Xamarin .deb/.rpm packages run this during package installation, if you
> built Mono from source you need to run it yourself.

I am able to modify my Yocto build so that OS CA certificates are loaded (Yocto 'ca-certificates' package) and cert-sync is run at start-up. In that case, I can verify that HTTPS still works as expected (tested with tlstest from the Mono Security FAQ). But as for SMTP, with mono 4.2, it doesn't improve the situation. I still need to do step (b) in my original message (get intermediate certificates from SMTP server port 465), before SMTP TLS will work through port 587. With mono 4.4.0, it works.

Craig McQueen

More information about the Mono-devel-list mailing list