Mono TLS1.2 issues - btls-cert-sync “command not f

2019-07-19 07:38发布

Summary:

My company uses TargetProcess (TP) to track progress on open projects and we've created a relatively small bit of code that imports updates to TargetProcess. Currently upon build submission, we spin up a debian docker image, with Mono pre-installed, and it runs our small .NET(C#) program to connect our updates to TP.

Repro:

It appears TP recently updated their API to only accept TLS1.2 connections, so we had to create a new docker image with Mono 4.8, the Alpha channel, on it (per this article). The program still doesn't work out of the box with this new Mono installation on a docker image so we took a few steps: (following the prompting from Mono's Security FAQ)

// Made sure that the most current version ca-certificates-mono is installed
// and it seems to have been installed upon installation of mono 4.8
apt-get install ca-certificates-mono

// This should be an unnecessary step from what I read, but ran anyway 
cert-sync /etc/ssl/certs/ca-certificates.crt

// lastly btls-cert-sync command, but can't seem to get it to not return
// "command not found" no matter wher I try running it
btls-cert-sync

Testing:

There seems to be a really helpful thread on how to test if your certs are formatted correctly. After running this test command in my docker image, I'm still seeing the failure message below.

MONO_TLS_PROVIDER=btls csharp -e 'Console.WriteLine (new System.Net.WebClient ().DownloadString ("https://www.howsmyssl.com/").IndexOf ("1.2"))'

// error message
System.Net.WebException: Error: TrustFailure (Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED) ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSLroutines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED

Any help or advice to get our instance of mono to accept TLS1.2 connections would be awesome.

2条回答
爱情/是我丢掉的垃圾
2楼-- · 2019-07-19 08:12

btls-cert-sync is a shell script for btls-cert-sync.exe

Find btls-cert-sync.exe, normally installed in 4.8.0/lib/mono/4.8 and run it with mono:

mono btls-cert-sync.exe
查看更多
贪生不怕死
3楼-- · 2019-07-19 08:19

As of mono 4.8 beta 3, btls-cert-sync seems to have been merged into cert-sync.

Do make sure that you have an up-to-date version of cert-sync as it is possible to get old versions of cert-sync still installed even if you have updated mono because the ca-certificates-mono package has not been updated (Linux).

If you look at the cert-sync output you will see

Mono Certificate Store Sync - version 4.8.0.0
...
Importing into legacy system store:
...
Importing into BTLS system store:
...
查看更多
登录 后发表回答