Summary:
My company uses TargetProcess (TP) to track progress on open projects and we've created a relatively small bit of code that imports updates to TargetProcess. Currently upon build submission, we spin up a debian docker image, with Mono pre-installed, and it runs our small .NET(C#) program to connect our updates to TP.
Repro:
It appears TP recently updated their API to only accept TLS1.2 connections, so we had to create a new docker image with Mono 4.8, the Alpha channel, on it (per this article). The program still doesn't work out of the box with this new Mono installation on a docker image so we took a few steps: (following the prompting from Mono's Security FAQ)
// Made sure that the most current version ca-certificates-mono is installed
// and it seems to have been installed upon installation of mono 4.8
apt-get install ca-certificates-mono
// This should be an unnecessary step from what I read, but ran anyway
cert-sync /etc/ssl/certs/ca-certificates.crt
// lastly btls-cert-sync command, but can't seem to get it to not return
// "command not found" no matter wher I try running it
btls-cert-sync
Testing:
There seems to be a really helpful thread on how to test if your certs are formatted correctly. After running this test command in my docker image, I'm still seeing the failure message below.
MONO_TLS_PROVIDER=btls csharp -e 'Console.WriteLine (new System.Net.WebClient ().DownloadString ("https://www.howsmyssl.com/").IndexOf ("1.2"))'
// error message
System.Net.WebException: Error: TrustFailure (Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED) ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSLroutines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
Any help or advice to get our instance of mono to accept TLS1.2 connections would be awesome.
btls-cert-sync
is a shell script forbtls-cert-sync.exe
Find
btls-cert-sync.exe
, normally installed in4.8.0/lib/mono/4.8
and run it withmono
:As of mono 4.8 beta 3, btls-cert-sync seems to have been merged into cert-sync.
Do make sure that you have an up-to-date version of cert-sync as it is possible to get old versions of cert-sync still installed even if you have updated mono because the ca-certificates-mono package has not been updated (Linux).
If you look at the cert-sync output you will see