Release notes for Rebex EWS for .NET

Released
June252026

8.0.9673 #

(build 9673 from 2026-06-25)

First 8.0.* release!

This is the first release of the 8.0.* series. The 7.0.x series will be supported until June 2027.

ML-KEM support in TLS

Rebex TLS library adds support for post-quantum ML-KEM key encapsulation algorithm, as part of the following hybrid key agreement ciphers: X25519MLKEM768, SecP256r1MLKEM768, SecP384r1MLKEM102. (ML-KEM is supported out-of-box on PQC-enabled Windows with .NET 3.5 or higher. On other platforms, a PQC plugin is needed.)

ML-DSA support in TLS

Rebex TLS library also adds support for post-quantum ML-DSA signature algorithm. This is currently 'experimental', because the protocols have not been finalized yet. However, Rebex libraries with ML-DSA are already perfectly suitable for real-world testing, and are compatible with third-party clients and servers, such as mldsa.digicert.com. (ML-DSA is supported out-of-box on PQC-enabled Windows with .NET 3.5 or higher, or on up-to-date Linux with .NET 10. On other platforms, a PQC plugin is needed.)

Client-side OCSP stapling in TLS

OCSP stapling improves the performance and privacy of certificate revocation checking by allowing the server to send a signed OCSP response during the TLS handshake, eliminating the need for the client to contact the certificate authority directly

Brainpool curve support in TLS

This version adds support for named groups and signature schemes based on Brainpool elliptic curves to TLS 1.3 (RFC 8734). (Brainpool curves have already been supported in TLS 1.2.)

ML-DSA, ECDSA and Ed25519 in S/MIME

MailMessage and MimeMessage API now support the post-quantum ML-DSA signature algoritm, along with elliptic-curve DSA and Edwards curve 25519. (ML-DSA is supported out-of-box on PQC-enabled Windows with .NET 3.5 or higher, or on up-to-date Linux with .NET 10. On other platforms, a PQC plugin is needed.)

AES/GCM and ChaCha20/Poly1305 in S/MIME

MailMessage and MimeMessage API support AES/GCM and ChaCha20/Poly1305 symmetric encryption algorithms.

FIPS 140-3 mode and cryptography updates

Instead of FIPS 140-2, the UseFipsAlgorithmsOnly setting now enables 'FIPS 140-3 mode', which limits usage of cryptographic algorithms, and forces usage of cryptographic modules to those provided by .NET or the operating system.

We also migrated from the legacy CryptoAPI to the new Windows CNG API. Certificate.LoadPfx, CertificateChain.LoadPfx and Certificate.Associate methods now prefer CNG key stores by default instead of legcy CryptoAPI key stores.

Asynchronous HTTP client core

Rebex HTTP, Graph, EWS and WebSocket feature a new HTTP client core that has been upgraded to fully asynchronous mode, making it less thread-hungry and more scalable.

Fixed collection APIs for Linq

Updated collection APIs to make them compatible with Linq enumeration.

API updates, changes and deprecations

Version 8.0 of Rebex libraries introduces some breaking changes, either due to abandoning long-deprecating APIs, for security reasons, or to fix compatibility with third-party tools. Before upgrading, check out Version 8.0 Upgrade Guide for details!

Legacy Edition for old .NET platforms available again

Due to enduring demand, we are bringing back the Legacy Edition once more, targeting .NET Framework 2.0, .NET Compact Framework 3.5, and .NET Compact Framework 3.9. This makes it possible to target systems as old as Windows 2000 or Windows Mobile 5, provided they have sufficient operating memory.

The Legacy Edition 8.0 introduces lot of major new features from versions 6, 7, and 8, such as TLS 1.3 support (might require an external plugin on very old platforms). However, it lacks some of the more recent additions such as ML-KEM and ML-DSA support, or server-side FTP support. If you need any of these, let us know.

The 8.0 series will be the last to target .NET Framework 2.0 and .NET Compact Framework, and the Legacy Edition will only be available while demand in these legacy platforms lasts. If you plan to use Rebex libraries on these platforms in 2028 and beyond, get in touch with us to discuss long-term support and maintenance options.

Alternatively, Legacy Edition 8.0 is a great starting point towards migrating from .NET CF on Windows CE to .NET 10 on Windows IoT or Linux.

Detailed list of changes:

  • MIME: Added experimental support for ML-DSA in S/MIME.
  • MIME: Added support for ECDSA and Ed25519 signatures to S/MIME.
  • MIME: Added support for S/MIME with AES/GCM AEAD encryption (RFC 5084).
  • MIME: Added support for S/MIME with ChaCha20/Poly1305 AEAD encryption (RFC 8103).
  • MIME: MIME parameters order is preserved when loading and saving a message.
  • MIME: Updated collection APIs to make them compatible with Linq enumeration.
  • MIME: Using AES/CBC by default for S/MIME encrypted content instead of 3DES.
  • MIME: Using SHA-256 by default for S/MIME instead of SHA-1.
  • SMTP: Removed obsolete APIs that have been deprecated a long time ago.
  • EWS: Upgraded HTTP client core.
  • SSH: Added experimental support for ML-DSA key algorithms.
  • SSH: Added SshPublicKey.Subject property to access rarely-used property of RFC 4716 SSH2 public keys.
  • SSH: Added support for long modular Diffie-Hellman key exchange ciphers (diffie-hellman-group17-sha512 and diffie-hellman-group18-sha512).
  • SSH: Added support for ML-KEM post-quantum key agreement schemes.
  • SSH: Allowed flag properties in SshParameters to be set to zero.
  • SSH: Disallowed ECDH key exchange with unsuitable CNG providers on end-of-life versions of Windows.
  • SSH: Fixed a potential infinite loop during SSH public key authentication when no suitable key could be selected.
  • SSH: Improved parsing of "SSH2 PUBLIC KEY" (RFC 4716) files.
  • SSH: Improved reason handling in SshException.
  • SSH: Improved SSH_MSG_DISCONNECT logic.
  • SSH: Updated default SSH cipher order of preference.
  • TLS Core: Added experimental support for ML-DSA certificates.
  • TLS Core: Added post-quantum hybrid ECDHE-MLKEM key agreements to TLS 1.3: X25519MLKEM768, SecP256r1MLKEM768, SecP384r1MLKEM1024.
  • TLS Core: Added support for long modular Diffie-Hellman key exchange ciphers (ffdhe6144 and ffdhe8192) to TLS 1.3.
  • TLS Core: Added support for named groups and signature schemes based on Brainpool elliptic curves to TLS 1.3 (RFC 8734).
  • TLS Core: Added support for OCSP stapling to client-side TLS.
  • TLS Core: Enabled support for Extended Master Secret (RFC 7627) on more legacy platforms.
  • TLS Core: Hardened TLS 1.2 state machine.
  • TLS Core: Improved exception message when a received TLS 1.3 extension is invalid.
  • TLS Core: Improved TLS cipher info logging.
  • TLS Core: Improved TLS error reporting for improperly configured TlsSocket.
  • TLS Core: Prevented possible internal ObjectDisposedException in TLS 1.3 when TlsSocket is disposed and a negotiation is still in progress.
  • TLS Core: Prevented possible internal ObjectDisposedException in TLS 1.3 when TlsSocket is disposed while a Send operation is in progress.
  • TLS Core: Updated default TLS settings (TlsCipherSuite, TlsVersion, TlsParameters).
  • Cryptography: Added CertificateInfo.IsCA property. Better handling of CertificateInfo.Usage = 0.
  • Cryptography: Added DiffieHellman.GetKeyMaterialDeriver method.
  • Cryptography: Added Ed25519 support to SignedData.
  • Cryptography: Added new OAEP-capable overloads of Encrypt/Decrypt methods to Certificate class
  • Cryptography: Added PublicKeyInfo.GetECParameters() method (only for .NET 10/9/8/7/6/5 or .NET Standard 2.0/2.1).
  • Cryptography: Added support for ML-DSA in X.509 APIs (RFC 9881).
  • Cryptography: Added support for ML-DSA to AsymmetricKeyAlgorithm class.
  • Cryptography: Delegated server name validation to current CertificateEngine.
  • Cryptography: Deprecated DiffieHellmanCryptoServiceProvider, added DiffieHellman.Create as a replacement.
  • Cryptography: Deprecated RSACryptoServiceProvider in favor of RSA.Create where appropriate.
  • Cryptography: Improved Diffie-Hellman infrastructure.
  • Cryptography: Improved handling of X.509 certificate chains with Ed25519 key algorithm.
  • Cryptography: No longer prefering legacy stores when binding RSA keys using Certificate.Associate.
  • Cryptography: Performance improvements in modular Diffie-Hellman.
  • Cryptography: Updated Certificate constructor to only accept X.509 format.
  • Cryptography: Updated CertificateChain.LoadDer() to use current CertificateEngine.
  • Cryptography: Updated FIPS-only mode according to FIPS 140-3.
  • Cryptography: Using AES instead of 3DES when saving PFX on FIPS-only Windows system.
  • Cryptography: Using AES/CBC by default for EnvelopedData encryption instead of 3DES.
  • Cryptography: Using HMAC/SHA-256 instead of HMAC/SHA-1 in PBKDF2.
  • Cryptography: Using 'PreferCng' option by default in Certificate.LoadPfx and CertificateChain.LoadPfx.
  • Cryptography: Using SHA-256 instead of SHA-1 by default in cryptographic APIs: SignedData, EnvelopedData, or AsymmetricKeyAlgorithm.
  • Common: Added FileSet.ToJson() method.
  • Common: Added stream-based overloads of LocalItem.GetChecksum method.
  • Common: Enabled [Serializable] attribute on .NET Standard 2.0/2.1 binaries.
Released
June012026

7.0.9649 #

(build 9649 from 2026-06-01)

Maintenance release

This is a maintenance release with enhancements in the shared functionality.

Detailed list of changes:

  • SSH: Clearing raw SSH_MSG_USERAUTH_REQUEST contents as soon as encrypted.
  • SSH: Improved compatibility of 'SSH2 PUBLIC KEY' file loader.
  • SSH: Rejecting non-standard public key formats during SSH negotiation.
  • Cryptography: Added workaround for uncommon RSA keys with very long exponents.
  • Cryptography: Fixed .NET 10 detection in .NET Standard binaries.
  • Cryptography: Fixed Base-64 decoding of PEM files in SignedData/EnvelopedData Load method.
  • Cryptography: Fixed detection of AES/GCM support in .NET Standard 2.1 on macOS.
  • Cryptography: Fixed detection of buggy AES CSP in .NET Framework 3.5 on recent Windows.
  • Cryptography: Fixed handling of RSA/PSS with uncommon salt lengths on recent non-Windows .NET platforms.
  • Cryptography: Fixed handling of RSA/SHA-224 for CNG-based private keys.
  • Cryptography: Checking public key during any Diffie-Hellman key exchange.
  • Cryptography: Improved compatibility with Windows CNG keys.
  • Cryptography: Improved private key handling in CNG interop.
  • Cryptography: Using constant-time-compares where appropriate.
Released
March052026

7.0.9561 #

(build 9561 from 2026-03-05)

Maintenance release

This is a maintenance release with fixes and improvements in the shared functionality.

Detailed list of changes:

  • MIME: Fixed ArgumentOutOfRangeException in MimeEntity.SetContent for empty bodies with BOM.
  • SSH: Fixed receive buffer space adjustment logic (client side).
Released
November122025

7.0.9448 #

(build 9448 from 2025-11-12)

Support for .NET 10!

This release adds a new set of binaries targeting .NET 10. It supports the following platforms:

  • Windows (x64, x86, ARM64)
  • Linux (x64, ARM32, ARM64)
  • Android (x64, ARM32, ARM64)
  • macOS (ARM64, x64)
  • iOS/iPadOS/tvOS (ARM64)

Support for Visual Studio 2026

All Rebex libraries are now fully supported in Microsoft Visual Studio 2026.

Detailed list of changes:

  • All: Support for .NET 10.
  • SSH: Fixed error type and message on invalid packet length in EtM cipher packets.
  • Cryptography: Fixed ECDSA support in SignedData.
  • Common: Improved work with internal shared array pool.
Released
September162025

7.0.9391 #

(build 9391 from 2025-09-16)

Maintenance release

This is a just maintenance release with no functional changes.

Detailed list of changes:

  • All: Various documentation improvements.
Released
June302025

7.0.9313 #

(build 9313 from 2025-06-30)

Maintenance release

This is a maintenance release with some enhancements.

Detailed list of changes:

  • Mail: Added IgnoreRedundantAsn1Data option to MailSettings/MimeOptions.
  • Networking: Prevented internal NullReferenceException when socket is closed and IO operation is in progress.
  • TLS Core: Fixed obfuscated type names in debug logs.
  • TLS Core: Fixed rare race condition between TLS 1.3 IO operations and shutdown/dispose logic.
  • Cryptography: Added IgnoreRedundantData option to SignedData and EnvelopedData classes.
  • Cryptography: Fixed NullReferenceException instead of InvalidOperationException in SignerInfo/KeyTransRecipientInfo and SignedData.
Released
March182025

7.0.9209 #

(build 9209 from 2025-03-18)

Maintenance release

This is a maintenance release with several enhancements.

Detailed list of changes:

  • Mail: Added workaround for "multipart/signed" entities misplaced as views.
  • MIME: Fixed behavior of MimeEntity.GetSignatureEntity() method.
  • MIME: Fixed non-persistence of original headers of detached S/MIME signature entities.
  • SSH: Added support for PKCS #1 public RSA key format to SshPublicKey.
  • SSH: Added workaround for misbehaved Socket.Poll in .NET 6 on Linux.
Released
January152025

7.0.9147 #

(build 9147 from 2025-01-15)

Maintenance release

This is a maintenance release with enhancements in the shared functionality.

Detailed list of changes:

  • Common: Improved internal APM->TAP bridge for Socket methods on old platforms.
Released
December182024

7.0.9119 #

(build 9119 from 2024-12-18)

Maintenance release

This maintenance release brings several fixes and enhancements.

Detailed list of changes:

  • MIME: Added MailMessage.​Settings.​TreatAdditionalMixedTextPartsAsView option.
  • SSH: Fixed reported error message when SSH channel is closed while a channel request is pending.
  • TLS Core: Better exception handling when TLS 1.3 socket is disposed while negotation is in progress.
Released
November122024

7.0.9083 #

(build 9083 from 2024-11-12)

Support for .NET 9!

This release adds a new set of binaries targeting .NET 9. It supports the following platforms:

  • Windows (x64, x86, ARM64)
  • Linux (x64, ARM32, ARM64)
  • Android (x64, ARM32, ARM64)
  • macOS (ARM64, x64)
  • iOS/iPadOS/tvOS (ARM64)

Detailed list of changes:

  • All: Added binaries targeting .NET 9 on all supported platforms.
  • Cryptography: Added workaround for EnvelopedData with unpadded RSA EncryptedKey.
  • Cryptography: Added workaround for parsing CMS ASN.1 with redundant zeros at the end.
  • Cryptography: Fixed common name validation logic in NativeCertificateEngine and EnhancedCertificateEngine when used stand-alone by custom code.
Released
October082024

7.0.9048 #

(build 9048 from 2024-10-08)

Introducing Rebex EWS

This is the first release of stand-alone Rebex EWS library for .NET.

Rebex EWS library has been available since 2016 as part of Rebex Mail, a package of multiple e-mail libraries.

Detailed list of changes:

  • SMTP: Fixed missing removal of 'Bcc' header with SendWithNoBuffer option in Smtp.Send(Stream input, ...) methods.
  • SSH: Fixed less common variants of multi-factor authentication.
  • SSH: Fixed SshSession.Authenticate(userName, password, privateKey) method that crashed when privateKey was null (since version 7.0).
  • Cryptography: Added ValidationOptions.​DisableCertificateDownloads option (only supported on .NET 5 and higher).
  • Cryptography: Fixed detection of support for ECDH with brainpool curves on iOS.
  • Cryptography: Fixed padding issues in AsymmetricKeyAlgorithm.​GetKeyMaterialDeriver (did not affect Rebex libraries).
  • Cryptography: Fixed wrong RSA public key format when saving private keys in new OpenSSH format.
  • Cryptography: Improved handling of wrong (negative) serial numbers in X.509 certificates.