Bug 26658 - HttpWebRequest.GetResponse fails for some https requests in Mono.Security.Protocol.Tls
Summary: HttpWebRequest.GetResponse fails for some https requests in Mono.Security.Pro...
Status: NEEDINFO
Alias: None
Product: Class Libraries
Classification: Mono
Component: Mono.Security (show other bugs)
Version: 3.10.0
Hardware: PC Linux
: --- normal
Target Milestone: Untriaged
Assignee: Martin Baulig
URL:
: 44615 (view as bug list)
Depends on:
Blocks: 28605
  Show dependency tree
 
Reported: 2015-02-02 16:56 UTC by mrbarby1
Modified: 2017-09-13 19:08 UTC (History)
33 users (show)

See Also:
Tags:
Is this bug a regression?: ---
Last known good build:


Attachments
test case (729 bytes, text/plain)
2015-02-02 16:56 UTC, mrbarby1
Details

Description mrbarby1 2015-02-02 16:56:15 UTC
Created attachment 9608 [details]
test case

WebRequest.GetResponse() fails for https://sceneaccess.eu

Unhandled Exception:
System.Net.WebException: Error: SendFailure (Error writing headers) ---> System.Net.WebException: Error writing headers ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: The authentication or decryption has failed.
  at Mono.Security.Protocol.Tls.RecordProtocol.ProcessAlert (AlertLevel alertLevel, AlertDescription alertDesc) [0x00000] in <filename unknown>:0
  at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0
  --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslClientStream.EndNegotiateHandshake (IAsyncResult result) [0x00000] in <filename unknown>:0
  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0
  --- End of inner exception stack trace ---
  --- End of inner exception stack trace ---
  at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0
  at System.Net.HttpWebRequest.GetResponse () [0x00000] in <filename unknown>:0
  at TlsTest.Main (System.String[] args) [0x00000] in <filename unknown>:0

I have attached a minimal test case, tlssimple.cs.  If I switch the Uri in the test case to https://google.com then it works fine, so I don't think it's an issue with my root certificates.  I get the same behavior using tlstest.cs from:

https://raw.githubusercontent.com/mono/mono/master/mcs/class/Mono.Security/Test/tools/tlstest/tlstest.cs

i.e. https://google.com works but https://sceneaccess.eu fails.

I think there is a related problem with certmgr.  Running:
> certmgr -ssl https://sceneaccess.eu

Throws a similar error:

Mono Certificate Manager - version 3.10.0.0
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.


Unhandled Exception:
System.IO.IOException: The authentication or decryption has failed. ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: The authentication or decryption has failed.
  at Mono.Security.Protocol.Tls.RecordProtocol.ProcessAlert (AlertLevel alertLevel, AlertDescription alertDesc) [0x00000] in <filename unknown>:0
  at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0
  --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslClientStream.EndNegotiateHandshake (IAsyncResult result) [0x00000] in <filename unknown>:0
  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0
  --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0

Finally, trying to import the ssl certificate directly fails also:

> openssl s_client -servername sceneaccess.eu -connect sceneaccess.eu:443 < /dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > temp.crt
> certmgr -add -c AddressBook temp.crt

Mono Certificate Manager - version 3.10.0.0
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.


Unhandled Exception:
System.IndexOutOfRangeException: Array index is out of range.
  at Mono.Security.ASN1..ctor (System.Byte[] data) [0x00000] in <filename unknown>:0
  at Mono.Security.X509.X509Certificate.get_RSA () [0x00000] in <filename unknown>:0
  at Mono.Security.X509.X509Store.ImportPrivateKey (Mono.Security.X509.X509Certificate certificate, System.Security.Cryptography.CspParameters cspParams) [0x00000] in <filename unknown>:0
  at Mono.Security.X509.X509Store.Import (Mono.Security.X509.X509Certificate certificate) [0x00000] in <filename unknown>:0
  at Mono.Tools.CertificateManager.Add (ObjectType type, Mono.Security.X509.X509Store store, System.String file, System.String password, Boolean verbose) [0x00000] in <filename unknown>:0
  at Mono.Tools.CertificateManager.Main (System.String[] args) [0x00000] in <filename unknown>:0
[ERROR] FATAL UNHANDLED EXCEPTION: System.IndexOutOfRangeException: Array index is out of range.
  at Mono.Security.ASN1..ctor (System.Byte[] data) [0x00000] in <filename unknown>:0
  at Mono.Security.X509.X509Certificate.get_RSA () [0x00000] in <filename unknown>:0
  at Mono.Security.X509.X509Store.ImportPrivateKey (Mono.Security.X509.X509Certificate certificate, System.Security.Cryptography.CspParameters cspParams) [0x00000] in <filename unknown>:0
  at Mono.Security.X509.X509Store.Import (Mono.Security.X509.X509Certificate certificate) [0x00000] in <filename unknown>:0
  at Mono.Tools.CertificateManager.Add (ObjectType type, Mono.Security.X509.X509Store store, System.String file, System.String password, Boolean verbose) [0x00000] in <filename unknown>:0
  at Mono.Tools.CertificateManager.Main (System.String[] args) [0x00000] in <filename unknown>:0

I am using Ubuntu 14.04 with mono 3.10.  It also fails on another PC running Ubuntu 14.04 and mono 3.10.  I have tried upgrading to mono 3.12 (from your repository, also fails), downgrading to mono 3.2 (from Ubuntu's repository, also fails) and compiling mono 3.0.12 from source (also fails).  Curiously another old PC with mono 2.10 and fedora works.  Unfortunately I couldn't get mono 2.x to compile on my machine to see if that works.

Please let me know if I can provide any more information.

Thanks.
Comment 1 mrbarby1 2015-02-03 03:48:45 UTC
I just double checked and I was wrong that it works on mono 2.10.  The certmgr command works but that's because it's picking up the wrong certificate from the server.  Running the tlssimple.cs test case gives a slightly different error:

mono tlssimple.exe
https://sceneaccess.eu/

Unhandled Exception: System.Net.WebException: Error getting response stream (Write: The authentication or decryption has failed.): SendFailure ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received from server. Error code: 0xffffffff800b010f
  at Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.validateCertificates (Mono.Security.X509.X509CertificateCollection certificates) [0x00000] in <filename unknown>:0
  at Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.ProcessAsTls1 () [0x00000] in <filename unknown>:0
  at Mono.Security.Protocol.Tls.Handshake.HandshakeMessage.Process () [0x00000] in <filename unknown>:0
  at (wrapper remoting-invoke-with-check) Mono.Security.Protocol.Tls.Handshake.HandshakeMessage:Process ()
  at Mono.Security.Protocol.Tls.ClientRecordProtocol.ProcessHandshakeMessage (Mono.Security.Protocol.Tls.TlsStream handMsg) [0x00000] in <filename unknown>:0
  at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0
  --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0
  --- End of inner exception stack trace ---
  at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0
  at System.Net.HttpWebRequest.GetResponse () [0x00000] in <filename unknown>:0
  at TlsTest.Main (System.String[] args) [0x00000] in <filename unknown>:0
[ERROR] FATAL UNHANDLED EXCEPTION: System.Net.WebException: Error getting response stream (Write: The authentication or decryption has failed.): SendFailure ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received from server. Error code: 0xffffffff800b010f
  at Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.validateCertificates (Mono.Security.X509.X509CertificateCollection certificates) [0x00000] in <filename unknown>:0
  at Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.ProcessAsTls1 () [0x00000] in <filename unknown>:0
  at Mono.Security.Protocol.Tls.Handshake.HandshakeMessage.Process () [0x00000] in <filename unknown>:0
  at (wrapper remoting-invoke-with-check) Mono.Security.Protocol.Tls.Handshake.HandshakeMessage:Process ()
  at Mono.Security.Protocol.Tls.ClientRecordProtocol.ProcessHandshakeMessage (Mono.Security.Protocol.Tls.TlsStream handMsg) [0x00000] in <filename unknown>:0
  at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0
  --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0
  --- End of inner exception stack trace ---
  at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0
  at System.Net.HttpWebRequest.GetResponse () [0x00000] in <filename unknown>:0
  at TlsTest.Main (System.String[] args) [0x00000] in <filename unknown>:0

This is on mono 2.10.8.
Comment 2 Brendan Zagaeski (Xamarin Support) 2015-02-27 18:03:39 UTC
Just to record a few additional details, https://www.ssllabs.com/ssltest/ currently reports the following supported cipher suites for https://sceneaccess.eu:

> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
> TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

All of these require Elliptic curve Diffie–Hellman key agreement which is not yet supported by Mono.
Comment 3 Igor Támara 2015-05-08 10:12:08 UTC
I'm on OS/X 10.10.3 and I can confirm I'm having the same issue when trying to post to an https server.

Mono JIT compiler version 3.10.0 ((detached/92c4884 Thu Nov 13 23:27:38 EST 2014)
Copyright (C) 2002-2014 Novell, Inc, Xamarin Inc and Contributors. www.mono-project.com
	TLS:           normal
	SIGSEGV:       altstack
	Notification:  kqueue
	Architecture:  x86
	Disabled:      none
	Misc:          softdebug 
	LLVM:          yes(3.4svn-mono-(detached/e656cac)
	GC:            sgen

Unhandled Exception:
System.Net.WebException: Error writing headers ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: The authentication or decryption has failed.
  at Mono.Security.Protocol.Tls.RecordProtocol.ProcessAlert (AlertLevel alertLevel, AlertDescription alertDesc) [0x00000] in <filename unknown>:0 
  at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 
  --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslClientStream.EndNegotiateHandshake (IAsyncResult result) [0x00000] in <filename unknown>:0 
  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 
  --- End of inner exception stack trace ---
  at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 
  at System.Net.HttpWebRequest.GetResponse () [0x00000] in <filename unknown>:0 
  at RestConsumingSample.invokeWebService (System.String urlEndPoint, System.Collections.Generic.List`1 data, System.String token) [0x00000] in <filename unknown>:0 
  at RestConsumingSample.Main (System.String[] args) [0x00000] in <filename unknown>:0 
[ERROR] FATAL UNHANDLED EXCEPTION: System.Net.WebException: Error writing headers ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: The authentication or decryption has failed.
  at Mono.Security.Protocol.Tls.RecordProtocol.ProcessAlert (AlertLevel alertLevel, AlertDescription alertDesc) [0x00000] in <filename unknown>:0 
  at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 
  --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslClientStream.EndNegotiateHandshake (IAsyncResult result) [0x00000] in <filename unknown>:0 
  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 
  --- End of inner exception stack trace ---
  at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 
  at System.Net.HttpWebRequest.GetResponse () [0x00000] in <filename unknown>:0 
  at RestConsumingSample.invokeWebService (System.String urlEndPoint, System.Collections.Generic.List`1 data, System.String token) [0x00000] in <filename unknown>:0 
  at RestConsumingSample.Main (System.String[] args) [0x00000] in <filename unknown>:0
Comment 4 Nils Ehnert 2015-05-12 08:34:29 UTC
Same problem here (using RestSharp) - the ciphers 

TLS_ECDHE_RSA_WITH_AES_*
TLS_DHE_RSA_WITH_AES_*

are not working ("The authentication or decryption has failed."). 
Also the attempt to import the certificate via certmgr.exe -ssl <server> is failing.

I think there's a strong need to fix this since 
perfect forward secrecy is advancing.
Comment 5 Stuart 2015-05-15 18:56:13 UTC
Same problem here. Also using RestSharp. I also tried to import my certificate manually, but that fails.  Also fails with the following example.

certmgr -ssl -m https://sceneaccess.eu

Mono Certificate Manager - version 4.0.1.0
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.


Unhandled Exception:
System.IO.IOException: The authentication or decryption has failed. ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: The authentication or decryption has failed.
  at Mono.Security.Protocol.Tls.RecordProtocol.ProcessAlert (AlertLevel alertLevel, AlertDescription alertDesc) [0x00000] in <filename unknown>:0 
  at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 
  --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslClientStream.EndNegotiateHandshake (IAsyncResult result) [0x00000] in <filename unknown>:0 
  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in <filename unknown>:0 
  --- End of inner exception stack trace ---
Comment 6 Tanaka 2015-05-16 08:23:00 UTC
Google brought me here. We updated Ngninx, and our long running C# Mono service has stopped connecting to it.  The errors match that of this bug. I cant see a way of voting for this bug.
Comment 7 Stuart 2015-05-18 10:11:52 UTC
In case anyone has this problem with a REST server and is looking for a workaround, install Nginx on your local machine, and use the following configuration.

server {
    listen 127.0.0.1:88;
    server_name localhost;

    ssl_certificate /etc/nginx/server.crt;
    ssl_certificate_key /etc/nginx/server.key;

    location / {
       # proxy to the original site
        proxy_pass https://api.myrestserver.com; <--- CHANGE THIS

        # prevents gzip compression, which cannot be processed by
        # HttpSubModule
        proxy_set_header Accept-Encoding '';
    }
}

Then in your mono application, send your requests to http://localhost:88
Comment 8 mauro 2015-05-27 09:10:17 UTC
Same issue for me against https://euapi.xtify.com.

Thank you very much for the workaround.
Any idea about the timing for Mono to support these new key agreements ?
Comment 9 Nuno Henrique 2015-06-03 10:37:48 UTC
any news here? It's happening for me on iOS since last update (http://developer.xamarin.com/releases/ios/xamarin.ios_8/xamarin.ios_8.10/#1)
Comment 10 Peter Hultqvist 2015-07-12 08:08:39 UTC
I've got this problem after I successfully configured the nginx server to get A+ on https://www.ssllabs.com/.

So I tried to connect to a few other sites with the same grade and I got the same connection errors there.
Comment 11 Yann ROBIN 2015-07-28 10:31:15 UTC
Same here one iOS, this is a huge issue !
Comment 12 João Parreira 2015-08-18 12:46:24 UTC
Any news on this? iOS9 will only accept ECDHE ciphers. Checkout the pre-release tech note at https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/
Comment 13 Miguel de Icaza [MSFT] 2015-08-18 15:02:31 UTC
Joao,

The tech note that you posted means that NSUrlSession/NSUrlConnection (and by extension ModernHttpClient) by default will require those parameters, but you can opt out of that behavior for scenarios where your servers can not be upgraded (see the "Exceptions" section).

HttpWebRequest is a different stack, purely managed, which does not enforce those settings and has a different set of cyphers.

In general, for iOS users that want to have a more secure connection and pass things like the SSLLabs.com test, you must switch from HttpWebRequest to using HttpClient with either the CFNetworkHandler [1], or with the third party ModernHttpClient [2] (which uses NSUrlSession and has plenty of extra features and which we are also working into integrating out of the box on Xamarin.iOS).

While we are working on adding support for HttpWebRequest for TLS 1.2, this wont be ready for some time.   This bug is about adding TLS 1.2 support to HttpWebRequest.

[1] http://tirania.org/monomac//archive/2013/Jun.html
[2] https://github.com/paulcbetts/ModernHttpClient
Comment 14 Florian Haider 2016-01-08 11:47:35 UTC
Are there any news on this?
We also have this issue now because our servers are secured by Cloudflare, which only issues ECDHE certificates.
Comment 15 Ali Özgür 2016-01-09 19:15:02 UTC
Same here for iOS. We can not get response from https://qa.moodle.net with HttpWebRequest class.
Comment 16 Manish Kungwani 2016-01-28 03:01:40 UTC
Workaround:

I was able to work around this issue by using ModernHttpClient, which internally uses NSUrlSession.

That is the way to go, until this is fixed in Mono.
Comment 17 Florian Haider 2016-01-28 13:37:19 UTC
@Manish Kungwani:

Can you post some code on how you got this to work?

I was testing this library and replaced "new HttpClient()" with "new HttpClient(new NativeMessageHandler())" like it says in their documentation, and left everything else the same.

But this error is still there, I tested it on Xamarin Android and IOS.
Comment 18 Miguel de Icaza [MSFT] 2016-01-28 14:24:12 UTC
@Florian then your error is something else, because at that point, you are using a different network stack.
Comment 19 Florian Haider 2016-01-28 17:46:37 UTC
@Miguel:
Thank you, you are right I got this working now (it was a stupid mistake).

Anyway, so using ModernHttpClient is the way to go now to work around this issue.
Comment 20 Lars Düwel 2016-02-08 07:24:14 UTC
Hi Florian,

can you give an example on how you made it work or what your mistake was? I'am using new HttpClient(new NativeMessageHandler()) as well. But the error is still their.
Comment 21 Florian Haider 2016-02-09 09:19:45 UTC
@Lars:
We simply missed one HttpClient call in our apps PCL project :-)
Comment 22 Fernando Mano 2016-03-12 17:23:43 UTC
@Florian:

Could you please post a code snippet of your solution? I'm also dealing with cloudflare certificate and couldnt yet make it work on my side.

Thanks a lot
Comment 23 Florian Haider 2016-03-14 07:53:35 UTC
@Fernando:
We currently use something like this for getting JSON data from our server:

public async Task<string> GetJSON(string url)
{
	using (var client = new HttpClient(new NativeMessageHandler()))
	{
		client.BaseAddress = new System.Uri("https://your.server.com");
		client.DefaultRequestHeaders.Accept.Add(new System.Net.Http.Headers.MediaTypeWithQualityHeaderValue("application/json"));

		var request = new HttpRequestMessage(HttpMethod.Get, url);
		var response = await client.SendAsync(request).ConfigureAwait(false);
		var json = await response.Content.ReadAsStringAsync().ConfigureAwait(false);

		if (response.StatusCode != HttpStatusCode.OK)
			throw new HttpRequestException(response.StatusCode, json);

		return json;
	}
}
Comment 24 Florian Haider 2016-03-15 15:08:30 UTC
One more thing, because we just recently had this issue: if you are using ModernHttpClient in your PCL project only, you still have to add the Nuget package to your iOS and Android projects as well, otherwise it will not work and this error will show up again.
Comment 25 Ruberoid 2016-05-08 15:35:42 UTC
Hey there guys 'n girls.

Any update on this issue?
Comment 26 Rob 2016-06-01 17:39:17 UTC
Based on the digging I have done, it seems that ultimately our fate lie in the hands of the maintainer of this repo: https://github.com/mono/mono-tls
Comment 27 Miguel de Icaza [MSFT] 2016-06-01 18:40:38 UTC
That repo is a bit old.

While that contains a full TLS 1.2 implementation in managed code, we do not feel that we can effectively vet it for security, nor that we have the necessary cryptographic or protocol knowledge on the team to ensure that it is not exploitable.

So we have taken a different approach, and we are bringing BoringTLS as our TLS implementation that will power the underlying stack.

We are working around the clock to get it deployed.
Comment 28 Rob 2016-06-01 18:42:51 UTC
That sounds great, thank you for your efforts, and your reply.  This issue is a major hurdle in our migration of backed services to c#/mono on Ubuntu.
Comment 29 Simon Walker 2016-06-10 00:47:03 UTC
Given how prevalent ECDH ciphers are becoming, this is becoming more and more of an issue - especially as CloudFlare (which provides SSL for free) only supports ECDH now, making anything with CloudFlare SSL completely inaccessible to non-ECDH tools (everything Mono).

With that in mind, is there any update on the timescales or roadmap for this being resolved?
Comment 30 Rob 2016-06-10 00:51:22 UTC
Yeah, I hate to be a nag, but we currently have production ready services that are stuck in staging because of this issue.  We can't connect to many of our 3rd party REST APIs with Mono because they are using Cloudflare SSL.
Comment 31 Simon Walker 2016-06-10 00:55:34 UTC
(...and I just noticed that I was reading the timestamps from the last comment as 6th of Jan, not 1st June, so sorry for the probably unnecessary nag from my side Miguel!)
Comment 32 Rob 2016-07-06 22:06:04 UTC
Miguel, any update on the progress of this issue?  Is there any known workaround for mono to force the completion of a https web request if we don't need to trust the content or server that we're requesting?
Comment 33 Guerry Semones 2016-08-09 14:35:49 UTC
We are also interested in progress here. The mentioned work arounds will not work for us. We likely need something similar to what Rob mentioned in the comment prior to this one. Currently, this is a blocking issue for us.
Comment 34 Rob 2016-08-09 14:42:47 UTC
For what it's worth, I finally was able to move forward with our project by using CurlSharp.  https://github.com/masroore/CurlSharp

This requires you to have libcurl packaged with your application in the bin directory on Windows (https://curl.haxx.se/download.html), or libcurl installed on Linux.  The package I got to work for Ubuntu was libcurl4-gnutls-dev.
Comment 35 Brendan Zagaeski (Xamarin Support) 2016-10-21 17:21:03 UTC
*** Bug 44615 has been marked as a duplicate of this bug. ***
Comment 36 robyn_dessoy 2016-11-03 15:06:13 UTC
Any further news on this bug? We're also having trouble connecting to https with REST calls.
Comment 37 Jan Tourlamain 2016-12-20 15:13:58 UTC
Any update on this bug? I can't work with ModernHttpClient as it doesn't support certificate pinning as stated in OWASP.
Comment 38 Brendan Zagaeski (Xamarin Support) 2016-12-20 19:26:35 UTC
Here is some recent news on the work to bring BoringSSL into Mono.  The short version is this that the Alpha updater channel [1] now includes preview versions of this new feature that adds support for TLS 1.2 and Elliptic curve Diffie–Hellman key agreement.

- http://www.mono-project.com/docs/about-mono/releases/4.8.0/#tls-12-support

- http://tirania.org/blog/archive/2016/Sep-30.html

- On Xamarin.Android, this feature is controlled by a new "SSL/TLS implementation" setting in the project properties.



[1] https://developer.xamarin.com/recipes/cross-platform/ide/change_updates_channel/

Note You need to log in before you can comment on or make changes to this bug.