[Mono-list] Mono 5 TLS 1.2 support not yet built-in???

Frédéric SOUCHU Frederic.SOUCHU at ingenico.com
Thu Jun 29 07:20:57 UTC 2017 

Thanks – it makes things a little bit clearer (and I can switch to a newer OS).

From: Alexander Köplinger [mailto:alkpli at microsoft.com]
Sent: mercredi 28 juin 2017 19:39
To: Frédéric SOUCHU <Frederic.SOUCHU at ingenico.com>
Cc: mono-list at lists.dot.net
Subject: Re: [Mono-list] Mono 5 TLS 1.2 support not yet built-in???

We don't build/ship the BTLS provider (which is required for TLS1.2 on Linux) for CentOS6 because it has a too old compiler and can't compile the BoringSSL library.

I've added a note to the 4.8 release notes.

- Alex

On 28 Jun 2017, at 19:17, Frédéric SOUCHU <Frederic.SOUCHU at ingenico.com<mailto:Frederic.SOUCHU at ingenico.com>> wrote:

Hi,
I am running Mono on CentOS 6 (binaries downloaded from official Mono yum repo) and could not get a connection to TLS 1.2 servers.
The documentation says ‘since 4.8 TLS 1.2 is natively supported’ but I couldn’t get it to work.
What I am missing to get TLS 1.2 on Mono? Is the only option to recompile from sources???

How to reproduce:
$> export MONO_TLS_PROVIDER=legacy
$> csharp -e 'Console.WriteLine (new System.Net<http://system.net/>.WebClient ().DownloadString ("https://www.howsmyssl.com/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.howsmyssl.com%2F&data=02%7C01%7Calkpli%40microsoft.com%7C425abdf8caee48ea895e08d4be49a168%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636342670833877678&sdata=YwNuLhZMjL5IuM3OmjehvXBhSIW5%2FTvfathyFsJFfd8%3D&reserved=0>")'
I get back a not so nice message:
Bad Your client is using TLS 1.0, which is very old, possibly susceptible to the BEAST attack, and doesn't have the best cipher suites available on it. Additions like AES-GCM, and SHA256 to replace MD5-SHA-1 are unavailable to a TLS 1.0 client as well as many more modern cipher suites.
Trying with the BoringTLS flag yields an even worse error:
export MONO_TLS_PROVIDER=btls

Output:
System.Net<http://system.net/>.WebException:
Error: ConnectFailure (TLS Support not available.)
---> System.NotSupportedException: TLS Support not available.
---> System.NotSupportedException: No such TLS Provider: `btls'.
  at Mono.Net<http://mono.net/>.Security.MonoTlsProviderFactory.LookupProviderType (System.String name, System.Boolean throwOnError) [0x00032] in <d2abb5dd463e4257bc4bb6c9614f73e7>:0
  at Mono.Net<http://mono.net/>.Security.MonoTlsProviderFactory.LookupProvider (System.String name, System.Boolean throwOnError) [0x00000] in <d2abb5dd463e4257bc4bb6c9614f73e7>:0
  at Mono.Net<http://mono.net/>.Security.MonoTlsProviderFactory.TryDynamicLoad () [0x00019] in <d2abb5dd463e4257bc4bb6c9614f73e7>:0
  at Mono.Net<http://mono.net/>.Security.MonoTlsProviderFactory.CreateDefaultProviderImpl () [0x00000] in <d2abb5dd463e4257bc4bb6c9614f73e7>:0
  at Mono.Net<http://mono.net/>.Security.MonoTlsProviderFactory.InitializeInternal () [0x0001a] in <d2abb5dd463e4257bc4bb6c9614f73e7>:0
   --- End of inner exception stack trace ---
  at Mono.Net<http://mono.net/>.Security.MonoTlsProviderFactory.InitializeInternal () [0x0002e] in <d2abb5dd463e4257bc4bb6c9614f73e7>:0
  at Mono.Net<http://mono.net/>.Security.MonoTlsProviderFactory.GetProviderInternal () [0x00010] in <d2abb5dd463e4257bc4bb6c9614f73e7>:0
  at Mono.Net<http://mono.net/>.Security.MonoTlsStream..ctor (System.Net<http://system.net/>.HttpWebRequest request, System.Net<http://system.net/>.Sockets.NetworkStream networkStream) [0x00027] in <d2abb5dd463e4257bc4bb6c9614f73e7>:0
  at System.Net<http://system.net/>.WebConnection.CreateStream (System.Net<http://system.net/>.HttpWebRequest request) [0x00066] in <d2abb5dd463e4257bc4bb6c9614f73e7>:0
   --- End of inner exception stack trace ---
  at System.Net<http://system.net/>.WebClient.DownloadDataInternal (System.Uri address, System.Net<http://system.net/>.WebRequest& request) [0x00072] in <d2abb5dd463e4257bc4bb6c9614f73e7>:0
  at System.Net<http://system.net/>.WebClient.DownloadString (System.Uri address) [0x00020] in <d2abb5dd463e4257bc4bb6c9614f73e7>:0
  at System.Net<http://system.net/>.WebClient.DownloadString (System.String address) [0x00016] in <d2abb5dd463e4257bc4bb6c9614f73e7>:0
  at <InteractiveExpressionClass>.Host (System.Object& $retval) [0x00005] in <61903e49f3474c469d10aac989d2bbea>:0
  at Mono.CSharp.Evaluator.Evaluate (System.String input, System.Object& result, System.Boolean& result_set) [0x00038] in <26092501e18f4d6bbb84790c331dcb20>:0
  at Mono.CSharpShell.Evaluate (System.String input) [0x00000] in <9c2a1356e8c3450d8aa1583549a8198e>:0

System information:
Linux 2.6.32-642.1.1.el6.x86_64 #1 SMP Fri May 6 14:54:05 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux

Mono Version:
Mono JIT compiler version 5.0.1.1 (2017-02/5077205 Wed May 24 13:08:40 UTC 2017)
Copyright (C) 2002-2014 Novell, Inc, Xamarin Inc and Contributors.www.mono-project.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.mono-project.com&data=02%7C01%7Calkpli%40microsoft.com%7C425abdf8caee48ea895e08d4be49a168%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636342670833877678&sdata=%2BkiQXOCoEfvAfvyDzqx0psPmOK%2FUw7RMVq2CLAn208M%3D&reserved=0>
        TLS:           __thread
        SIGSEGV:       altstack
       Notifications: epoll
        Architecture:  amd64
        Disabled:      none
        Misc:          softdebug
        LLVM:          supported, not enabled.
        GC:            sgen (concurrent by default)

Regards,
Frederic

This email and its content belong to Ingenico Group. The enclosed information is confidential and may not be disclosed to any unauthorized person. If you have received it by mistake do not forward it and delete it from your system. Cet email et son contenu sont la propriété du Groupe Ingenico. L’information qu’il contient est confidentielle et ne peut être communiquée à des personnes non autorisées. Si vous l’avez reçu par erreur ne le transférez pas et supprimez-le.
_______________________________________________
Mono-list maillist  -  Mono-list at lists.dot.net<mailto:Mono-list at lists.dot.net>
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.dot.net%2Fmailman%2Flistinfo%2Fmono-list&data=02%7C01%7Calkpli%40microsoft.com%7C425abdf8caee48ea895e08d4be49a168%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636342670833877678&sdata=0UbXhRQTasvKL6ZOnwI8OWa5OtVxnHm1rtY2pGCvt58%3D&reserved=0

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dot.net/pipermail/mono-list/attachments/20170629/4a916802/attachment-0001.html>

More information about the Mono-list mailing list