Rebex TLS

TLS library for modern and legacy platforms

Download 30-day free trial Buy from $699
More .NET libraries

Back to feature list...

Easy-to-use TLS API

On this page:

Simple Socket-like API 

Rebex TLS features TlsClientSocket and TlsServerSocket classes. Their API resembles .NET's System.Net.Sockets.Socket class, but with TLS-related features: 

// create an instance of TLS client socket
var socket = new TlsClientSocket();

// connect to a server
socket.Connect("test.rebex.net", 990);

// negotiate a secure TLS session
socket.Negotiate();

// send data
byte[] request = new byte[] { 0x46, 0x45, 0x41, 0x54, 0x0D, 0x0A };
int bytesSent = socket.Send(request);

// receive data
byte[] response = new byte[1024];
int bytesRead = socket.Receive(response);

// ...

// close the socket
socket.Close();
Tip: In addition to string, the Send/Receive methods support a byte array type (byte[]). The Receive method also supports the object type, returning either a string or a byte array, depending on the message type received from the server.
Tip: TlsSocketClient/TlsServerSocket also support a Task-based asynchronous API.

Asynchronous API 

Rebex TLS also features a Task-based asynchronous API that has been carefully optimized for high efficiency and scalability: 

// connect to a server
await socket.ConnectAsync("test.rebex.net", 990);

// send a message
byte[] message = Encoding.UTF8.GetBytes("Hello!");
await socket.SendAsync(new ArraySegment<byte>(message));
Note: Task-based asynchronous API is not available on .NET Framework 2.0-3.5 and .NET Compact Framework 3.5/3.9.
Tip: TlsClientSocket also supports a synchronous variant of this API.

Server-side TLS 

To implement a TLS server, use the following approach:

  • Listen and accept connections using .NET's System.Net.Sockets.Socket API.
  • Once you accepted a connection, convert it to TlsServerSocket.
  • Set TlsServerSocket parameters and negotiate a secure TLS session with the TLS client.
  • Use TlsServerSocket to communicate with the TLS client.

The following code demonstrates the steps above in an easy-to-read form, and assumes you only need to handle a single connection at a time. In a real-world scenario, you would almost certainly want to either start a dedicated thread for each TlsServerSocket as soon as each connection is accepted, or (better) use TlsServerSocket's asynchronous API with await/async. 

// load server certificate
var cert = CertificateChain.LoadPfx("myserver.pfx", "mypassword");

// create a listening socket (using System.Net.Sockets.Socket class)
var listener = new Socket(SocketType.Stream, ProtocolType.Tcp);
listener.Listen(16);

// accept an incoming connection
Socket plainSocket = listener.Accept();

// create an instance of TLS server socket
var socket = new TlsServerSocket(plainSocket);

// specify server certificate
socket.Parameters.Certificate = cert;

// negotiate a secure TLS session
socket.Negotiate();

// receive data
byte[] response = new byte[1024];
int bytesRead = socket.Receive(response);

// ...

// close the socket
socket.Close();

Settings and options 

In most scenarios, TlsClientSocket will be able to connect without any special configuration.

In other cases, use the Parameters property to configure the TlsClientSocket instance before negotiating TLS: 

// specify allowed TLS versions
socket.Parameters.Version = TlsVersion.TLS13 | TlsVersion.TLS12;

// set enabled TLS 1.3 ciphers
socket.Parameters.SetSymmetricCipherSuites(
    TlsSymmetricCipherSuite.TLS_AES_128_GCM_SHA256,
    TlsSymmetricCipherSuite.TLS_AES_256_GCM_SHA384,
    TlsSymmetricCipherSuite.TLS_CHACHA20_POLY1305_SHA256
    );

// set enabled TLS 1.2 ciphers
socket.Parameters.AllowedSuites =
    TlsCipherSuite.ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
    TlsCipherSuite.ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
    TlsCipherSuite.ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
    TlsCipherSuite.ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
    TlsCipherSuite.DHE_RSA_WITH_AES_128_GCM_SHA256 |
    TlsCipherSuite.DHE_RSA_WITH_AES_256_GCM_SHA384;

// specify allowed elliptic curves
socket.Parameters.AllowedCurves = TlsEllipticCurve.All;

// specify minimum allowed Diffie-Hellman key size
socket.Parameters.MinimumDiffieHellmanKeySize = 2048;

// specify server's 'common name' for certificate validation
// (useful if different that server host name)
socket.Parameters.CommonName = "test.rebex.net";

// connect to a server
socket.Connect(serverName, port);

// negotiate a secure TLS session
// using the specifed parameters
socket.Negotiate();

// start communicating
// ...
Note: See the list of supported TLS 1.3 ciphers and TLS 1.2/1.1/1.0 ciphers.

Back to feature list...