[Mono-dev] Still stuck in a bad place with TLS 1.2 support

Ivo Smits Ivo at UFO-Net.nl
Wed Nov 2 20:07:58 UTC 2016 

Hi Guerry,

I think a LetsEncrypt certificate should work with Mono's TLS 1.0 
implementation, but it often fails to get the certificate chain right. 
You need to have (only) the right certificates in the local CA store 
(use certmgr) for mono to build the correct chain. I had the same 
problem with other certificates.

While waiting for a stable solution in Mono, and also requiring a 
cross-platform TLS 1.2 implementation (apparently it's not enabled in 
Windows .NET by default) and partly as an exercise, I wrote my own TLS 
1.0-1.1-1.2 server implementation. It has just the bare minimum required 
by the RFC so it should work with all TLS1.0-1.2 clients out there. It's 
not unlikely that it has some (possibly serious) flaws - any feedback in 
this area is appreciated. At least it gives a pretty good A- score on 
the Qualys SSL test.

Source code: 
https://bitbucket.org/IvoSmits/ucis.core/src/42c10ce64a37242477c71bfebe104676255a71f2/NaCl/TLSStream.cs

I also wrote some helper code to handle certificate chains and keys in 
PEM format: 
https://bitbucket.org/IvoSmits/ucis.core/src/42c10ce64a37242477c71bfebe104676255a71f2/NaCl/SSLUtils.cs

This helper allows you to put the private key + certificate + 
intermediates + root certificate in one PEM file to ensure the TLS 
server uses the intended certificate chain.

And a minimal client for LetsEncrypt (agreement URL is no longer valid): 
https://bitbucket.org/IvoSmits/ucis.core/src/42c10ce64a37242477c71bfebe104676255a71f2/NaCl/ACMEClient.cs

Maybe this can be of some use to you or someone else.

--

Ivo


Op 1-11-2016 om 22:58 schreef gsemones:
> Hi,
>
> I've posted before about this, but I've been away trying new approaches
> which also did not work. I'm back to see if my new approaches have any
> answers. My project is at a complete stand still and has been for several
> months.
>
> I have a OS X console app that is hosting Owin as a web service and SignalR.
> I need TLS 1.2 to work serving a certificate bound to a port on the Mac, as
> well as for HTTP clients used in the service. The Mono Legacy TLS 1.0
> Provider does not work, particularly with our certificate, which is
> currently generated by LetsEncrypt, and which I believe is only authentic
> for TLS 1.1 and 1.2. I guess I should try a certificate with TLS 1.0
> support?
>
> Miguel and others have been very helpful, but no combination of things I've
> tried up through last month worked. Then came the announcement that Boring
> TLS was available in the latest Mono bits, and so I shifted gears.
>
> I built Mono and could see lots of references to Boring TLS. I built my Mono
> project (not Xamarin.Mac) using the latest Mono and targeting .NET Framework
> 4.6, and ran it using the same. No matter what I did, I could only get the
> Legacy TLS provider, or if I specified "btls" it would fail with an
> exception because Boring SSL was not found. I could not find any docs about
> whether I need to build/install Boring separately or if the bundled copy in
> Mono was supposed to get built. Is the Mono Boring TLS stuff only for
> Android?
>
> I next read again about Apple TLS and Xamarin.Mac. I made a new Xamarin.Mac
> project and ported my code to it. I found that Owin and other packages were
> not available on Nuget for Xamarin.Mac Mobile Framework" but I had success
> with Xamarin.Mac .NET 4.5 Framework. However, the Apple TLS Provider does
> not appear available and will not load. I only get the Legacy Provider. Does
> the Apple TLS Provider only work with Xamarin.Mac Mobile Framework?
>
> I feel like I'm in a twisty maze of passages all alike.
>
> Is there a document somewhere that points up which TLS options are available
> for which frameworks?
>
> Much thanks in advance,
>
> Guerry
>
>
>
>
>
> --
> View this message in context: http://mono.1490590.n4.nabble.com/Still-stuck-in-a-bad-place-with-TLS-1-2-support-tp4669106.html
> Sent from the Mono - Dev mailing list archive at Nabble.com.
> _______________________________________________
> Mono-devel-list mailing list
> Mono-devel-list at lists.dot.net
> http://lists.dot.net/mailman/listinfo/mono-devel-list

More information about the Mono-devel-list mailing list