New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mono issue with TLS due to Client Certificates #6498
Comments
Cross-referencing note to the Mono team for a couple existing reports about the not-yet implemented TLS renegotiation support for the |
/cc @baulig |
Related to the title change for this issue, note that use of client certificates (or more precisely, a server's request for client certificates after the initial TLS negotiation) is not strictly the only reason a TLS renegotiation can happen, but it is the typical reason. |
Hi there. We met this problem when upgrading mono and using Btls provider (because our customer requires using TLS1.2). May I know if there is any plan about when the support for client certificate will be implemented? Thanks a lot! |
My comments on Xamarin Bugzilla Bug 57106 include some discussion about timelines for adding an up-to-date TLS renegotiation feature to Mono. Inclusion into a nightly build of course might happen sooner than the timelines mentioned there for inclusion into a "go-live" release. As also mentioned there, scheduling for work on the feature by the Xamarin Mono team will be discussed among the team during the first quarter of this year. |
@brendanzagaeski @baulig Do you guys now have more concrete plan or estimate when this could be done? Thank you so much! |
I have been looking at the renegotiation situation and found that if I set the renegotiation mode to freely (in this example) then when a handshake message comes in the btls will process this request and kick off the handshake process where it will generate a hello message. However, this message never gets sent. It gets put into a buffer by MobileAuthenticatedStream:InternalWrite but because we have already been through the finally clause of the ProcessAuthentication task and asyncHandshakeRequest has been cleared, the message never leaves the buffer (the result of asyncRequest = asyncHandshakeRequest ?? asyncWriteRequest in InternalWrite is null). Eventually, the server will timeout and close the connection. |
Yes,
|
Just did a quick experiment and changed InternalWrite:
The test case I am using then worked (this code works on .NET and using the legacy driver on Mono). It also worked with my openSSL provider that I've been working on. I am wondering what things need to be checked to ensure this is correct and robust? |
My understanding is that the things that need to be considered are unfortunately fairly subtle, involving how the Martin might be able to share some technical corrections on that summary, but I think that at least roughly captures the flavor of the work to be done. |
I assume their are additional considerations for the mono environment that requires the use of System/Mono.Net.Security such that using the CoreFx would be incomplete or incompatible? |
Is there ANY fix or Workaround for this issue? As far as I can see, there is currently no way to secure a web request with a client certificate in Mono. That's a big Problem, isn't it? |
We had same issue when we call our API with client certificates accept. However, we recently upgrade xamarin.form from 2.3.4 to 2.5.0.280555, and change HttpClient implementation to Android, SSL/TLS implementation to Native TLS1.2+, and able to call our back-end API. Hopefully this information could help. |
As a limited additional piece of information, note that client certificates requested during the initial TLS handshake will work correctly. It is TLS renegotiation in particular that is not yet supported. So adjusting the server-side settings to request client certificates site-wide during the initial TLS handshake, for all traffic on the target TCP port, will allow client certificates to be used successfully. But that might not fit within the design constraints of all users, and it's only possible when the server software allows it. |
Hurriedly you closed issue. I have this problem.
Message
StackTrace
Source Code
internet on LAN cable. This error throws not always but often. |
While it might be fixed inside the mono framework, that's not a big help for those who use Xamarin, as the updated mono version has not been included in Xamarin so far. In that case, as far as I know, the only option is a native workaround for each platform. It took me quite some time to figure this out, so maybe I can safe someone some time by sharing this native Android workaround for Xamarin developers who had the same problem:
|
@keke78ui9 could you share your Android implementation? |
why this is closed? |
@acaliaro I'm using Xamarin.Form and use HttpClient at shared projects. The HttpClient class is very standard code, not many special things there but I could show a simple example as follows.
As I mentioned before, In my case upgrade to higher version and change Android HttpClient and SSL/TLS setting helped me fixed my issue. I attached the Android Options setting for references. |
Pretty sure my issue with Xamarin.Android and Azure is related to this: Azure/azure-iot-sdk-csharp#561 |
Hi. We have a .NET 4.0 application for sending https(TLS 1.0) requests using HttpWebRequest. The application works correctly with the windows version of Mono but when we send a request on Ubuntu 16.04 using Mono 5.4.1.6 we get an error, see here: https://pastebin.com/hP9dZvuF
Just to test the app we sent a request to https://www.google.com, https://github.com, etc. and we got no errors but when we send a request to required server the issue appears.
We tried to import required certificates manually using certmgr and mozroots but it didn't solve the issue.
We are thinking it's an issue of Mono because we compiled the same code with .NET Core and it works well. Is there any chance to solve this issue?
Thank you!
The text was updated successfully, but these errors were encountered: