Making legacy platforms secure

Unlike .NET's HttpWebRequest, Rebex HTTPS makes it possible to use new protocols and algorithms on all supported .NET platforms. This includes:

  • .NET Framework 2.0 or higher on Windows XP SP3 or higher
  • .NET Compact Framework 3.5 and higher on Windows CE 5.0 or higher
  • Xamarin.Android 4 or higher
  • Xamarin.iOS 8.6 or higher

TLS 1.2, 1.1 and 1.0 for all platforms #

Unlike .NET's HttpWebRequest, Rebex HTTPS makes it possible to use TLS 1.2, TLS 1.1, TLS 1.0, and even legacy SSL 3.0 on all supported .NET platforms.

Most websites already disabled support for outdated SSL 3 protocol. Some even disabled TLS 1.0 and 1.1, and their number will grow in the future. HTTPS clients need to support TLS 1.2 to be able to communicate with those websites.

X509 certificates signed with SHA-2 for all platforms #

As of 2017, usage of SHA-1 hash algorithm in X509 certificates has been mostly deprecated - major browsers and operating systems no longer accept server or user certificates with signatures based on SHA-1 hashes, and trusted certification authorities no longer issue such certificates. This means that HTTPS clients with lack of SHA-2 support no longer work.

Rebex HTTPS solves this problem and makes it possible to use certificates signed using SHA-2 on legacy platforms.

TLS/SSL ciphers with SHA-2 for all platforms #

Rebex HTTPS offers the following TLS ciphers utilizing message authentication codes based on SHA-2 hash algorithms on all supported platforms:

  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_DH_anon_WITH_AES_256_CBC_SHA256
  • TLS_DH_anon_WITH_AES_128_CBC_SHA256

In addition to these ciphers, we support a number of legacy ciphers utilizing SHA-1 or even MD5 hash algorithms. However, because we have SHA-2 support, there is seldom any reason to use them.

Server Name Indication (SNI) extension #

Rebex HTTPS supports Server Name Indication (SNI) on all platforms. SNI is a TLS protocol extension that specifies a way for TLS/SSL clients to indicate to servers which site they are connecting to, which makes it possible to run multiple virtual HTTPS-secured websites on a single IP address.

Support for this is ubiquitous nowadays - unless you use a legacy HTTPS implementation on platforms such as .NET Compact Framework 3.5. In that case, Rebex HTTPS is the solution.

Renegotiation Indication Extension #

Renegotiation Indication Extension (RFC 5746) fixes a vulnerability in the TLS/SSL protocol that makes it possible for an attacker to hijact TLS/SSL connections during renegotiation in some scenarios.

Elliptic Curve Cryptography #

Elliptic Curve Cryptography (ECC) is an attractive alternative to classic public-key algorithms based on modular exponentiation. Compared to the algorithms such as RSA, DSA or Diffie-Hellman, elliptic curve cryptography offers equivalent security with smaller key sizes.

Rebex HTTPS supports the following elliptic curve TLS ciphers:

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA

And the following curves:

  • NIST P-256 curve
  • NIST P-384 curve
  • NIST P-521 curve
  • Brainpool P-256 R1 curve
  • Brainpool P-384 R1 curve
  • Brainpool P-512 R1 curve
  • Curve 25519

Important: These curves may require a plugin on some platforms. See the following KB article for details: Elliptic Curve Cryptography support in Rebex SSH and Rebex TLS/SSL.