SSL TLS support in Mono

TJ Computer Services edited this page Jul 11, 2018 · 18 revisions

Support for SSL/TLS with Mono

If you are using a cloud-based service as the destination of your backups, such as Amazon S3, OneDrive, CloudDrive etc, you will need a set of trusted root certificates in Mono.

Various versions of Mono, and various Linux distributions have different ways of setting up support for SSL. This document collects various distributions and descriptions of how to install and debug SSL with Duplicati.

Technical note: Secure Socket Layer (SSL) is now largely replaced with Transport Layer Security (TLS), but for historical reasons https connections are commonly referred to as SSL connections, even if they are TLS.

Maybe it just works?

Since Mono 3.12.0 (Jan. 2015) SSL support should "just work" with Mono. It should work such that you operating systems list of trusted certificates is also trusted by Mono, and thus the list is always up to date.

Sadly, that is not always the case.

Testing if it works

Duplicati includes the Mono tool tlstest for debugging SSL connections.

You can test if SSL is working correctly with two commands:

mono TlsTest.exe --web https://github.com
mono TlsTest.exe --stream https://github.com

If you get no errors, SSL is working for you. You can replace the target URL to see if you get errors when you point to the service that you are using.

Failed responses usually end with:

Error #-2146762486: CERT_E_CHAINING 0x800B010A

Distributions with known fixes

This is a compiled list of instructions for getting SSL certificates working.

Generic Debian / Ubuntu

Installing the ca-certificates-mono package will add certificates. If possible, use the Mono supplied Debian packages instead of the Mono packages in APT as they are really outdated. If you install the packages from the Mono repository, they generally fix the certificate issues automatically.

If that is not an option, the release notes from Mono suggest running cert-sync:

sudo cert-sync /etc/ssl/certs/ca-certificates.crt

If things still does not work, you can experiment with the environment variable:

MONO_TLS_PROVIDER=legacy

You need at least the mono-runtime package and in some cases libmono-system-net-http4.0-cil to get SSL/TLS working.

Ubuntu 14.04 and old versions of Mono

The bundled mozroots.exe tool, imports certificates from Mozilla, and can help with the older versions:

sudo mono mozroots.exe --import --sync

On some setups, mozroots fails to download the list, ironically because the links require SSL which is not working. In this case, you can work around the issue with by downloading the list manually:

wget -O certdata.txt "http://mxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1"

If you do not have wget, but curl instead, use:

curl -o certdata.txt "http://mxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1"

Then use mozroots with the --file option:

sudo mono mozroots.exe --import --sync --file certdata.txt

Debian Jessie (8.0)

The default Mono version is 3.2.8, which can run Duplicati, but lacks the cert-sync tools. Uninstall any Mono packages and then use the Mono supplied Debian packages, which will give you the latest version of Mono and the ca-certificates-mono package which fixes SSL.

Debian Wheezy (7.0) and older

The default Mono version is 2.10.8, which is too old to run Duplicati. Uninstall any Mono packages and then use the Mono supplied Debian packages, which will give you the latest version of Mono and the ca-certificates-mono package which fixes SSL.

Generic Fedora / CentOS

The release notes from Mono suggest running cert-sync:

sudo cert-sync /etc/pki/tls/certs/ca-bundle.crt

FreeBSD 10.3

First, make sure FreeBSD actually has some recent CA certificates:

pkg install ca_root_nss

Then sync the certificates with Mono:

cert-sync /usr/local/share/certs/ca-root-nss.crt

Asustor

Login and type:

sudo /usr/local/AppCentral/mono/bin/cert-sync /etc/ssl/certs/ca-certificates.crt

On Mono version 5.8.1.0.r6 the following command works:

sudo mono /usr/local/AppCentral/mono/lib/mono/4.5/cert-sync.exe /etc/ssl/certs/ca-certificates
.crt

Synology

The cert-sync tool works on Synology, but it is not linked correctly, so you need to supply the full path:

sudo /var/packages/Mono/target/usr/local/bin/cert-sync /etc/ssl/certs/ca-certificates.crt
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.