[Mono-dev] TLS 1.2 to ship in Mono 4.8 + Discussion Topic

Miguel de Icaza miguel at microsoft.com
Wed Nov 30 15:52:41 UTC 2016 

Hello team,

The next stable release of Mono will be Mono 4.8, we have created a branch for it called mono-4.8.0-branch that you can get from Git.

This version currently includes our new TLS 1.2 support, based on Google’s BoringSSL stack [1].   This will be used on Android, Linux, Unix, Windows and temporarily for some scenarios when you build on MacOS [2].

As things stand right now, the stack is opt-in, and requires users to set the MONO_TLS_PROVIDER to the value btls, on bash, that looks like this:

export MONO_TLS_PROVIDER=btls

To test if things are working, run this command:

MONO_TLS_PROVIDER=btls csharp -e 'Console.WriteLine (new System.Net.WebClient ().DownloadString ("https://www.howsmyssl.com/").IndexOf ("1.2"))'

The BoringSSL stack uses a new certificate file format, so you need to run the tool “btls-cert-sync” on your system.

If you see this error from the above command:

System.Net.WebException: Error: TrustFailure (Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED) ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSLroutines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED

It means that you do not have the certificates in the new format.   Run the tool “btls-cert-sync” to convert your existing root certificates into the new file format.   If “btls-cert-sync” complains that “The Old Trust Store does not exist”, you first need to tell Mono how to find these certificates, this page describes how to do it:

http://www.mono-project.com/docs/faq/security/

That said.

I was thinking that perhaps this should be the default, and not an opt-in feature, but instead an opt-out feature, so that we could by default ship TLS 1.2 enabled, and if we run into a problem, users facing the problems could set MONO_TLS_PROVIDER to “legacy”.   Thoughts?

Miguel.

[1] BoringSSL stack is a modified version of OpenTLS that Google uses for Chrome and Android, that they maintain and which has some settings altered to increase the security defaults.

[2] When you get Mono from us, we bundle the AppleTLS provider in Mono.   Currently this TLS provider is part of “Xamarin.Mac” and involves an ugly circular dependency.  We are working to eliminate that, so the default compilation from source in the future will give you AppleTLS without having to resort to complex dances.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dot.net/pipermail/mono-devel-list/attachments/20161130/594c1acc/attachment.html>

More information about the Mono-devel-list mailing list