TLS 1.2 Comes to Mono: Update

Short version: the master branch of Mono now has support for TLS 1.2 out of the box. This means that SslStream now uses TLS 1.2, and uses of HttpWebRequest for HTTPS endpoints also uses TLS 1.2 on the desktop.

This brings TLS 1.2 to Mono on Unix/Linux in addition to Xamarin.{Mac,iOS,tvOS} which were already enabled to use TLS 1.2 via the native Apple TLS stack.

To use, install your fresh version of Mono, and then either run the btls-cert-sync command which will convert your existing list of trusted certificates to the new format (if you used cert-sync or mozroots in the past).

In Detail

The new version of Mono now embeds Google's Boring SSL as the TLS implementation to use.

Last year, you might remember that we completed a C# implementation of TLS 1.2. But we were afraid of releasing a TLS stack that had not been audited, that might contain exploitable holes, and that we did not have the cryptographic chops to ensure that the implementation was bullet proof.

So we decided that rather than ship a brand new TLS implementation we would use a TLS implementation that had been audited and was under active development.

So we picked Boring TLS, which is Google's fork of OpenSSL. This is the stack that powers Android and Google Chrome so we felt more comfortable using this implementation than a brand new implementation.

Linux Distributions

We are considering adding a --with-openssl-cert-directory= option to the configure script so that Linux distributions that package Mono could pass a directory that contains trusted root certificates in the format expected by OpenSSL.

Let us discuss the details in the mono-devel-list@lists.dot.net

Posted on 30 Sep 2016 by Miguel de Icaza
This is a personal web page. Things said here do not represent the position of my employer.