Hello team,
The next stable release of Mono will be Mono 4.8, we have created a branch for
it called mono-4.8.0-branch that you can get from Git.
This version currently includes our new TLS 1.2 support, based on Google’s
BoringSSL stack [1]. This will be used on Android, Linux, Unix, Windows and
temporarily for some scenarios when you build on MacOS [2].
As things stand right now, the stack is opt-in, and requires users to set the
MONO_TLS_PROVIDER to the value btls, on bash, that looks like this:
export MONO_TLS_PROVIDER=btls
To test if things are working, run this command:
MONO_TLS_PROVIDER=btls csharp -e 'Console.WriteLine (new System.Net.WebClient
().DownloadString ("https://www.howsmyssl.com/";).IndexOf ("1.2"))'
The BoringSSL stack uses a new certificate file format, so you need to run the
tool “btls-cert-sync” on your system.
If you see this error from the above command:
System.Net.WebException: Error: TrustFailure (Ssl error:1000007d:SSL
routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED) --->
Mono.Btls.MonoBtlsException: Ssl
error:1000007d:SSLroutines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
It means that you do not have the certificates in the new format. Run the
tool “btls-cert-sync” to convert your existing root certificates into the new
file format. If “btls-cert-sync” complains that “The Old Trust Store does not
exist”, you first need to tell Mono how to find these certificates, this page
describes how to do it:
http://www.mono-project.com/docs/faq/security/
That said.
I was thinking that perhaps this should be the default, and not an opt-in
feature, but instead an opt-out feature, so that we could by default ship TLS
1.2 enabled, and if we run into a problem, users facing the problems could set
MONO_TLS_PROVIDER to “legacy”. Thoughts?
Miguel.
[1] BoringSSL stack is a modified version of OpenTLS that Google uses for
Chrome and Android, that they maintain and which has some settings altered to
increase the security defaults.
[2] When you get Mono from us, we bundle the AppleTLS provider in Mono.
Currently this TLS provider is part of “Xamarin.Mac” and involves an ugly
circular dependency. We are working to eliminate that, so the default
compilation from source in the future will give you AppleTLS without having to
resort to complex dances.
_______________________________________________
Mono-devel-list mailing list
[email protected]
http://lists.dot.net/mailman/listinfo/mono-devel-list
