[Mono-dev] TLS 1.2 Status Update

Miguel de Icaza miguel at microsoft.com
Thu Aug 18 04:17:06 UTC 2016


Hello team,

It has been a long time coming, but we are getting close now.

We already shipped to production support for TLS 1.2 on Xamarin’s Apple platforms, by using AppleTLS as the engine that powers our TLS stack.

For other platforms, support for TLS 1.2 will be coming in the form of taking a dependency on Google’s BoringTLS as our networking stack and will be the stack that we use on most Mono installations.

Now, when we first added TLS support to Mono years ago, TLS was not very popular, so we built a tool that would download Mozilla’s certificate roots and install those into Mono’s certificate store.   These were the root certificates that Mono trusted.   Over the years, TLS became more popular, and Linux distributions started to ship with root certificates as part of the operating system, so we introduce the cert-sync tool, which allows the system certificate store to be synced to the format that Mono expected.

With Boring TLS we will change things a little bit, in many operating systems we will be able to just configure Mono to use the certificate store as present on the system.   This includes Android and includes various Linux distributions, the idea right now is to probe at configure time the location for the certificate store, or pass a flag to configure with the location of the certificate store.

In addition, we plan on introducing an environment variable that would prepend a list of directories where the application could load root certificates from.

If you want to track the work, it is currently being developed on this branch:

https://github.com/mono/mono/tree/martin-btls-stable

Miguel.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dot.net/pipermail/mono-devel-list/attachments/20160818/c4675a1d/attachment.html>


More information about the Mono-devel-list mailing list