Rebex TLS

TLS library for modern and legacy platforms

Download 30-day free trial Buy from $699
More .NET libraries

Back to feature list...

TLS client for new and old platforms

On this page:

Rebex TLS supports a wide range of modern and legacy .NET platforms. These include:

  • .NET 8 and .NET 7 on Windows, Linux, macOS, Android, iOS/tvOS
  • .NET 6 and .NET 5 on Windows, Linux, macOS
  • .NET Framework 4.8.1 on Windows 10 or higher
  • .NET Framework 4.5-4.8 on Windows 7 SP1 or higher
  • .NET Framework 2.0/3.5/4.0 on Windows XP SP3 or higher
  • .NET Core 3.0/3.1 on Windows, Windows IoT, Linux and macOS
  • .NET Core 2.0/2.1/2.2 on Windows, Linux and macOS
  • .NET Compact Framework 3.5/3.9 on Windows CE 5.0 or higher
  • Xamarin.Android 10.1 or higher
  • Xamarin.iOS 13.10 or higher

Please note that Rebex TLS for .NET Compact Framework 3.5/3.9 is available as a separate product.

TLS 1.3 for all mainstream platforms 

Rebex TLS makes it possible to use TLS 1.3 on all mainstream .NET platforms including .NET 2.0-4.8 on Windows 7 (or Windows XP SP3 with plugins).

The following TLS 1.3 ciphers are supported:

  • TLS_AES_128_GCM_SHA256
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
See the list of supported TLS 1.3 ciphers for more information.

TLS 1.2, 1.1 and 1.0 for all platforms 

Unlike .NET's SslStream class, Rebex TLS makes it possible to use TLS 1.2, TLS 1.1 and TLS 1.0 on all supported .NET platforms.

X.509 certificates signed with SHA-2 for all platforms 

As of 2020, usage of SHA-1 hash algorithm in X.509 certificates has been almost entirely deprecated - major browsers and operating systems no longer accept server or user certificates with signatures based on SHA-1 hashes, and trusted certification authorities no longer issue such certificates. This means that TLS clients that lack of SHA-2 support no longer work.

Rebex TLS solves this problem and makes it possible to use certificates signed using SHA-2 on legacy platforms.

TLS 1.2 ciphers with SHA-2 for all platforms 

Rebex TLS offers the following TLS ciphers utilizing SHA-2 hash algorithms on all supported platforms:

  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256*
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384*
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256*
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384*
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256*
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256*
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384*
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256*
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384*
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256*
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_DH_anon_WITH_AES_256_CBC_SHA256
  • TLS_DH_anon_WITH_AES_128_CBC_SHA256

* Ciphers based on ECDHE or ECDSA need an external plugin on some legacy platforms.

In addition to these ciphers, we support a number of legacy ciphers utilizing SHA-1 or even MD5 hash algorithms. Most of them are disabled by default. However, because we have SHA-2 support, there is seldom any reason to use them.

Server Name Indication (SNI) extension 

Rebex TLS supports Server Name Indication (SNI) on all platforms. SNI is a TLS protocol extension that specifies a way for TLS/SSL clients to indicate to servers which site they are connecting to, which makes it possible to run multiple virtual HTTPS-secured websites on a single IP address.

Support for this is ubiquitous nowadays - unless you use a legacy HTTPS implementation on platforms such as .NET Compact Framework 3.5. In that case, Rebex TLS is the solution.

Renegotiation Indication Extension 

Renegotiation Indication Extension (RFC 5746) fixes a vulnerability in the TLS/SSL protocol that makes it possible for an attacker to hijact TLS/SSL connections during renegotiation in some scenarios.

Elliptic Curve Cryptography 

Elliptic Curve Cryptography (ECC) is an attractive alternative to classic public-key algorithms based on modular exponentiation. Compared to the algorithms such as RSA, DSA or Diffie-Hellman, elliptic curve cryptography offers equivalent security with smaller key sizes.

Rebex TLS supports the following elliptic curve TLS ciphers:

  • ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • ECDHE_RSA_WITH_AES_128_CBC_SHA
  • ECDHE_RSA_WITH_AES_256_CBC_SHA
  • ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • ECDHE_RSA_WITH_RC4_128_SHA
  • ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  • ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
  • ECDHE_ECDSA_WITH_RC4_128_SHA

And the following curves:

  • NIST P-256 curve
  • NIST P-384 curve
  • NIST P-521 curve
  • Brainpool P-256 R1 curve
  • Brainpool P-384 R1 curve
  • Brainpool P-512 R1 curve
  • Curve 25519
Important: These curves may require a plugin on some platforms. See the following KB article for details: Elliptic Curve Cryptography support in Rebex SSH and Rebex TLS/SSL.

Back to feature list...