Bug 16327 - Xamarin.Android (Mono) needs to expose configuration for TLS
Summary: Xamarin.Android (Mono) needs to expose configuration for TLS
Status: RESOLVED FIXED
Alias: None
Product: Class Libraries
Classification: Mono
Component: Mono.Security ()
Version: unspecified
Hardware: PC Windows
: --- enhancement
Target Milestone: Untriaged
Assignee: Sebastien Pouliot
URL:
Depends on:
Blocks:
 
Reported: 2013-11-18 20:18 UTC by Jon Goldberger [MSFT]
Modified: 2014-03-11 11:26 UTC (History)
5 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on GitHub or Developer Community with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED FIXED

Comment 20 Sebastien Pouliot 2014-01-22 20:29:40 UTC
Another desk case pointed out that the order of ciphers is of concern too (for some people). Here's what I'm testing*:

2 mono-specific, public API, additions to System.Net.Security.ServicePointManager and a new delegate (System.dll). The model is closely similar to the existing:

    public static RemoteCertificateValidationCallback ServerCertificateValidationCallback;

and could be made stream-specific (instead of global) in the future (if needed). Here's the doc draft...


public static CipherSuitesCallback ClientCipherSuitesCallback { get; set; }

	You can filter and/or re-order the ciphers suites that will be sent to the SSL/TLS server by providing your own callback.

	Example: Removing "export" weak ciphers
	
		ServicePointManager.ClientCipherSuitesCallback += (SecurityProtocolType p, IEnumerable<string> allCiphers) => {
			return from cipher in allCiphers where !cipher.Contains ("EXPORT") select cipher;
		};
	
	Note: this mechanism cannot be used to add new ciphers. Undefined ciphers will be ignored.
	
	Note: this API is only available in Mono and Xamarin products


public static CipherSuitesCallback ServerCipherSuitesCallback { get; set; }

	You can filter and/or re-order the ciphers suites that the SSL/TLS server will accept from a client. The first match for a supported client cipher suite will be used (so the order is important).

	Example: Use AES128 (preference) or AES256 (allowed) but no other ciphers
	
		ServicePointManager.ClientCipherSuitesCallback += (SecurityProtocolType p, IEnumerable<string> allCiphers) => {
			string prefix = p == SecurityProtocolType.Tls ? "TLS_" : "SSL_";
			return new List<string> { prefix + "RSA_WITH_AES_128_CBC_SHA", prefix + "RSA_WITH_AES_256_CBC_SHA" };
		};

	Note: this mechanism cannot be used to add new ciphers. Undefined ciphers will be ignored.

	Note: this API is only available in Mono and Xamarin products


public delegate IEnumerable<string> CipherSuitesCallback (SecurityProtocolType protocol, IEnumerable<string> allCiphers);

	You can provide your own code to filter/re-order the cipher suites to be used for client and/or server side SSL/TLS support.

	Note: this API is only available in Mono and Xamarin products


* Testing SSL/TLS changes is not very fun so I'm testing a few other changes (i.e. other bug reports) at the same time (to be committed separately).
Comment 21 Sebastien Pouliot 2014-02-19 08:54:08 UTC
Fixed in mono/master 43fcd744d0b7237fef50c85eca0d62245584aa7d

This will become available in XA and XI products once they ship a version that include this mono commit.
Comment 22 Sebastien Pouliot 2014-03-11 11:26:16 UTC
Documentation updated in master/5bda991de3189e2b9191b4687902cc6ea48a888a