托管 Xamarin HttpClient 实现是否支持 TLS 1.2? [英] Does the Managed Xamarin HttpClient Implementation support TLS 1.2?

问题描述

应用传输层安全性的官方 Xamarin 文档 (

然而，文档是矛盾的.在描述托管 HttpClient 实现时，它声明如下:

<块引用>

它没有与操作系统完全集成(例如，仅限于 TLS 1.0).

后来的文档有自相矛盾的陈述，例如:

<块引用>

从 Xamarin.Android 8.3 开始，HttpClientHandler 默认为 Boring SSL ...它支持 TLS 1.2+.

此外，这篇非常有用的 Xamarin 博文 通过选择 SSL/TLS 选项native TLS 1.2"(这是 iOS 上的默认设置，无法在 iOS 上更改)，表明 TLS 1.2 确实可以通过托管 HttpClient 实现实现.>

最后但并非最不重要的是，我针对 测试了当前稳定版 Xamarin 的 HttpClient¹https://www.nist.gov，仅支持 TLS 1.2.我确认服务器只接受 TLS 1.2:

openssl s_client -connect nist.gov:443 -no_tls1_2

如果托管 HttpClient 实现确实只支持 TLS 1.0，我希望以下连接失败:

var client = new HttpClient();var result = await client.GetStringAsync("https://www.nist.gov");

但是，通过以下设置连接成功:

• iOS:HttpClient 实现托管
• Android:HttpClient 实现 Managed (HttpClientHandler) 或 Default，以及 SSL/TLS 实现 Native TLS 1.2.

这让我想到了以下问题:

1. 在声明托管 HttpClient 实现仅支持 TLS 1.0 时，Xamarin 文档是否已过时?
2. 我针对 https://www.nist.gov 的测试是否有效?它是否确实表明托管的 HttpClient 实现支持 TLS 1.2?还是我遗漏了什么?

<小时>

¹ Visual Studio 7.5.2(内部版本 40)、Xamarin.iOS 11.12.0.4、Xamarin.Android 8.3.3.2

解决方案

如果您使用本机"处理程序(Android 或 iOS)，它将使用本机 API 来实现 HttpClientHandler 功能，因此平台依赖"取决于是否支持 TLS1.2，即 Android 5/API-21 本身不支持 TLS1.2，大多数 Android 开发人员使用第 3 方库...

当您启用本机 SSL/TLS"时，它使用的是 Google 的 BoringSSL(现在包含在您的应用程序包中)而不是不是本机平台 API.因此，即使使用托管"HttpClientHandler 也支持 TLS1.2.此选项允许.Net framework/Mono"在 iOS & 上支持最新的 SSL/TLS.Android，例如 .Net Sockets、WebClient 等.当然还有 HttpClient.

https://www.nist.gov 测试:

Android 处理程序/托管 SSL:也不例外托管处理程序/本机 SSL/TLS:也不例外Android 处理程序/本机 SSL/TLS:也不例外托管处理程序/托管 SSL:错误:SecureChannelFailure

SecureChannelFailure:

MonoDroid] 未处理的异常:[MonoDroid] System.Net.Http.HttpRequestException: 发送请求时出错--->System.Net.WebException:错误:SecureChannelFailure(身份验证或解密失败.)--->System.IO.IOException: 身份验证或解密失败.--->System.IO.IOException: 发送 TLS 警报时出错 (Fatal:InternalError): System.IO.IOException: 身份验证或解密失败.--->System.IO.IOException:无法从传输连接读取数据:连接被对等端重置.--->System.Net.Sockets.SocketException:连接由对等方重置

The official Xamarin documentation for App Transport Layer Security (iOS, Android) states that the managed HttpClient implementation does only support TLS 1.0. It strongly recommends updating Xamarin Apps to native HttpClient implementations to support TLS 1.2. Visual Studio states this as well:

However, the documentation is contradictory. When describing the managed HttpClient implementation, it states something like:

It is not fully integrated with the OS (eg. limited to TLS 1.0).

The documentation later has contradicting statements like:

Beginning with Xamarin.Android 8.3, HttpClientHandler defaults to Boring SSL ... It supports TLS 1.2+.

Furthermore, this very helpful Xamarin blog post states that TLS 1.2 is indeed possible with the managed HttpClient implementation by choosing the SSL/TLS option "native TLS 1.2" (which is the default on iOS and cannot be changed on iOS).

Last, but not least, I tested the HttpClient of the current stable Xamarin version¹ against https://www.nist.gov, which only supports TLS 1.2. I verified that the server only accepts TLS 1.2 with:

openssl s_client -connect nist.gov:443 -no_tls1_2

If the managed HttpClient implementation really does only support TLS 1.0, I would expect that the following connection fails:

var client = new HttpClient();
var result = await client.GetStringAsync("https://www.nist.gov");

However, the connection succeeds with the following settings:

• iOS: HttpClient implementation Managed
• Android: HttpClient implementation Managed (HttpClientHandler) or Default, and SSL/TLS implementation Native TLS 1.2.

This leads me to the following questions:

1. Is the Xamarin documentation outdated when stating that the managed HttpClient implementation does only support TLS 1.0?
2. Is my test against the https://www.nist.gov valid? Does it indeed show that the managed HttpClient implementation supports TLS 1.2? Or am I missing something?

---

¹ Visual Studio 7.5.2 (build 40), Xamarin.iOS 11.12.0.4, Xamarin.Android 8.3.3.2

解决方案

If you use the "native" handler (Android or iOS) it is using the native APIs to implement the HttpClientHandler features and thus is "platform dependent" upon whether or not TLS1.2 would be supported, i.e. Android 5/API-21 does not natively support TLS1.2, most Android developers use a 3rd-party lib...

When you enabled "native SSL/TLS" is it using Google's BoringSSL (that is now included into your app bundle) and not the native platform APIs. Thus TLS1.2 is supported even with the "Managed" HttpClientHandler. This option allows the ".Net framework/Mono" to support the latest SSL/TLS on iOS & Android, such as .Net Sockets, WebClient, etc.. and of course HttpClient.

https://www.nist.gov Test:

Android Handler / Managed SSL    :  No exception
Managed Handler / Native SSL/TLS :  No exception
Android Handler / Native SSL/TLS :  No exception
Managed Handler / Managed SSL    :  Error: SecureChannelFailure 

SecureChannelFailure:

MonoDroid] UNHANDLED EXCEPTION:
[MonoDroid] System.Net.Http.HttpRequestException: An error occurred while sending the request ---> System.Net.WebException: Error: SecureChannelFailure (The authentication or decryption has failed.) --->
System.IO.IOException: The authentication or decryption has failed. --->
System.IO.IOException: Error while sending TLS Alert (Fatal:InternalError): System.IO.IOException: The authentication or decryption has failed. --->
System.IO.IOException: Unable to read data from the transport connection: Connection reset by peer. ---> 
System.Net.Sockets.SocketException: Connection reset by peer

这篇关于托管 Xamarin HttpClient 实现是否支持 TLS 1.2?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！