Rebex TLS

TLS library for modern and legacy platforms

Download 30-day free trial Buy from $699
More .NET components

Release notes for Rebex TLS for .NET

Released
November102020

2020 R5 #

(build 7620 from 2020-11-10)

Support for .NET 5.0!

This release adds a new set of binaries targeting the final version of .NET 5.0. It supports all .NET 5.0 platforms:

  • Windows (x64, x86, ARM64)
  • Linux (x64, ARM32, ARM64)
  • macOS (x64)

Support for Ed25519 X.509 certificates in TLS 1.3

We added support for TLS 1.3 with X.509 certificates using Ed25519 algorithm (EdDSA on edwards25519 curve) to all Rebex components with TLS support.

However, due to limitations of .NET and all supported operating systems, a custom certificate validator is needed to validate Ed25519 certificates.

New AES/GCM API

Our new Rebex.Security.Cryptography.AesGcm class resembles .NET 5.0's class of the same name, but it's available on all supported platforms including .NET Framework 3.5/4.0 and Mono 5/6.

Detailed list of changes:

  • All: Added support for .NET 5.0 on all platforms.
  • TLS Core: Added support for X.509 certificates with Ed25519 keys to TLS 1.3.
  • TLS Core: Improved exception messages in TLS 1.3.
  • Cryptography: Added built-in support for Ed25519 algorithm.
  • Cryptography: Added Rebex.Security.Cryptography.AesGcm class (equivalent to .NET 5.0's AesGcm class, but available on all platforms including .NET Framework 3.5).
  • Cryptography: Added SetOtherNames/GetOtherNames methods to CertificateInfo class ('Other Name' support in SANs).
  • Cryptography: AsymmetricKeyAlgorithm.ImportKey method can initialize Ed25519 key from seed (in addition to private key).
  • Cryptography: AsymmetricKeyAlgorithm.Register method made thread-safe.
  • Cryptography: Deprecated CryptoHelper.ForceManagedAes property.
  • Cryptography: Enhanced compatibility with unsupported legacy versions of CryptoAPI.
  • Cryptography: Enhanced SignedData.Load(Stream) and EnvelopedData.Load(Stream) methods to support Base64-encoded format (PEM) as well.
  • Cryptography: Enhanced workaround for RSA CSPs with lack of SHA-2 support.
  • Common: Added SspiAuthentication.IsSupported method.
  • Common: Enhanced EncodingTools helper class to always provide Encodings with implemented HeaderName, EncodingName and BodyName properties.
Released
September302020

2020 R4 #

(build 7579 from 2020-09-30)

Fully tested on .NET 5.0 RC1

Rebex assemblies targeting .NET Standard 2.1 have been fully tested on .NET 5.0 RC1 and are suitable to be used in production on Microsoft's latest .NET platform.

Maintenance release

This is a maintenance release with enhancements in the shared functionality.

Detailed list of changes:

  • All: Fixed several minor compatibility issues on .NET 5.0 RC1.
  • Networking: Restored missing NetworkSession.InstanceId property.
  • TLS Core: Fixed concurrent access in server-side TLS session cache.
  • TLS Core: Fixed normalization of premaster secret in server-side ECDH calculations in TLS 1.2 and earlier.
  • TLS Core: Updated TlsCipherSuite.Secure/Weak/Fast enum values. Updated TlsParameters.AllowedSuite default.
  • TLS: Added more AuthenticateAsClientAsync/AuthenticateAsServerAsync overloads.
  • Cryptography: Added Ed25519 support to Certificate class. (Not yet supported by the built-in certificate validator due to lack of support in Windows and .NET).
  • Cryptography: Fixed handling of non-content data in Certificate(byte[]) constructor and CertificateChain.LoadP7b(Stream) / CertificateRevocationList.Load(Stream) methods.
  • Cryptography: Fixed parsing of constructed primitive ASN.1 types with more than two layers of nesting.
  • Cryptography: Fixed version number in PKCS #10 CertificationRequest structure.
  • Cryptography: Prohibited usage of Chacha20/Poly1305 in TLS 1.3 in FIPS-only mode. (Already prohibited in TLS 1.2 or earlier.)
  • Cryptography: Updated RSAManaged constructor logic to make it suitable as a base for derived classes on .NET Framework in FIPS-compliant mode.
  • Cryptography: Using Windows CNG API for Diffie-Hellman parameter generation on Windows 10 and Windows Server 2016/2019.
  • Common: Optimized internal cancellation infrastructure on old platforms.
  • Common: Removed usage of BinaryFormatter which has been found to be insecure.
  • Common: Updated EncodingTools.GetEncoding method to prefer encodings provided by .NET.
Released
July142020

2020 R3 #

(build 7501 from 2020-07-14)

Binaries for .NET Standard 2.1

We added a new set of binaries targeting .NET Standard 2.1. They are suitable for .NET Core 3.1 and .NET 5.0 Preview 6, on Windows, Linux and macOS.

For an overview of available binaries and supported platforms, check out Rebex Support Lifecycle KB article.

New TlsStream API

In addition to TlsClientSocket and TlsServerSocket, Rebex TLS now featues TlsStream class as well. Its API resembles .NET's SslStream, and it supports TLS 1.0-1.3 on all mainstream .NET platforms including .NET Framework 3.5 on Windows 7 (or even on Windows XP SP3 with a plugin).

Improved TLS core

This release brings enhancements, optimizations.

Detailed list of changes:

  • All: Added binaries targeting .NET Standard 2.1.
  • SSH: Enhanced legacy group exchange autodetection.
  • TLS Core: Added TlsSocket.ApplicationProtocol property to make it possible to determine protocol negotiated using ALPN extension.
  • TLS Core: Always preferring RSA/SHA-2 for client certificate authentication in TLS 1.2.
  • TLS Core: Disabled ciphers based on AES/CBC and SHA-2 in legacy versions of TLS (they are only specified by TLS 1.2).
  • TLS Core: Fixed availability of TLS 1.3 session tickets (client side).
  • TLS Core: Fixed handling of multiple concurrent Receive or Send method calls in TLS 1.3.
  • TLS Core: Fixed handling of TLS 1.3 KeyUpdate handshake message.
  • TLS Core: Fixed server name handling for TlsSocket instances created from an already-connected Socket.
  • TLS Core: Fixed TlsException.Status to return ConnectionClosed for connection-closed errors.
  • TLS Core: Fixed TlsException.Status to return Timeout for timeout errors.
  • TLS Core: Fixed TlsSocket.ClientCertificate that returned an empty chain instead of null in some scenarios.
  • TLS Core: Improved error message when server certificate is rejected in TLS 1.3.
  • TLS Core: Improved error messages in TLS 1.3.
  • TLS Core: Logging improvements.
  • TLS Core: No longer sending 'internal error' alert to remote end on timeout.
  • TLS Core: Optimized TLS 1.3 internals.
  • TLS Core: TLS 1.3 initiates key update properly (before the AEAD limits are reached).
  • TLS Core: Unified behavior of the Receive and ReceiveAsync methods across TLS versions.
  • TLS: Added DisposeAsync method to TlsSocket.
  • TLS: Added server-side support for Application-Layer Protocol Negotiation (ALPN) extension (RFC 7301).
  • TLS: Added TlsParameters.CertificateChainMode property.
  • TLS: Added TlsStream class. Supports TLS 1.0-1.3 via Stream-based API.
  • TLS: An error is reported when trying to use one of deprecated methods via TlsServerSocket.
  • TLS: Fixed error messages reported on client certificate validation to properly refer to client certificate.
  • TLS: Fixed error reporting when trying to use SSL 3.0 on Windows OS in FIPS-only mode.
  • Cryptography: Fixed encoding of ECDSA signatures in PKCS #7 CertificationRequest structure.
  • Cryptography: Memory usage optimizations in CNG layer.
  • Cryptography: On Windows 10 and Windows Server 2016 or higher, MS CNG API is used for classic Diffie-Hellman calculations instead of legacy MS CryptoAPI.
  • Cryptography: Optimized disposing of temporary keys in Certificate class.
Released
May242020

2020 R2 #

(build 7450 from 2020-05-24)

Server-side TLS 1.3 support

Added TlsServerSocket class. Supports server-side TLS 1.3, 1.2, 1.1 and 1.0.

Detailed list of changes:

  • SSH: Added new properties to SshCipher to make it possible to determine IDs of active ciphers.
  • SSH: Added workaround for a weakness in legacy CBC ciphers.
  • TLS Core: Enhanced TlsSocket.Timeout property to apply to subsequent Send, SendAsync, Receive and ReceiveAsync methods even when TLS is already active.
  • TLS Core: Fixed availability of TLS 1.3 session ticket when the receive side of the connection has already been closed.
  • TLS Core: Fixed behavior of server-side DoNotCacheSessions option (which previously led to connection failures).
  • TLS Core: Fixed some cases of missing AggregateException unwrapping.
  • TLS Core: Improved and unified behavior of TlsSocket Shutdown/ShutdownAsync methods when negotiation has not been started.
  • TLS Core: Improved TLS exception reporting.
  • TLS Core: Logging improvements.
  • TLS Core: Optimizations in TLS 1.3 internals.
  • TLS Core: Support for the TLS 1.3 record with empty application data payload and random padding.
  • TLS Core: Unified TlsSocket.Cipher property behavior across TLS versions.
  • TLS: Added TlsServerSocket class. Provides server-side TLS 1.3, 1.2, 1.1 and 1.0 support.
  • TLS: Fixed TlsClientSocket.EndConnect method.
  • Cryptography: Added ContentInfo.ToStream() method.
  • Cryptography: Enhanced Certificate.LoadDerWithKey to support RSASSA-PSS and RSAES-OAEP for RSA keys.
  • Cryptography: Fixed AsymmetricKeyAlgorithm.GenerateDiffieHellmanParameters slowness (only affected the previous release).
  • Cryptography: Improved AsymmetricKeyAlgorithm to support RSASSA-PSS and RSAES-OAEP with keys loaded via ImportKey method.
  • Cryptography: Optimized Certificate and CertificateChain class to only consume native resources when needed.
  • Cryptography: Optimized CNG handles cleanup.
Released
March252020

2020 R1.1 #

(build 7390 from 2020-03-25)

Fixed several TlsClientSocket omissions

This version fixes several omissions and leftovers in the new TlsClientSocket class, mostly related to legacy parts of its API that have been retained from the existing TlsSocket class

Detailed list of changes:

  • Networking: Fixed rare race condition in TLS and SSH internals.
  • TLS Core: Fixed breaking changes in the behavior of seldom-used parts of TlsSocket API.
  • TLS Core: Fixed handling of OperationCanceledException in TLS 1.3 core.
  • TLS Core: Improved TLS logging.
  • TLS: Added BeginNegotiate/EndNegotiate methods to TlsClientSocket class.
  • TLS: Added support for TlsClientSocket.Available property.
  • TLS: Fixed disabled BeginConnect/EndConnect on TlsClientSocket.
  • TLS: Fixed TlsClientSocket's BeginSend/BeginReceive methods to use truly asynchronous implementation.
  • Common: Added DiffieHellmanNative class to Rebex.Common.Native assembly (speeds up Diffie-Hellman calculations on Xamarin.Android).
Released
February212020

2020 R1 #

(build 7357 from 2020-02-21)

New component: Rebex TLS

Rebex TLS is a low-level TLS client library. It supports TLS 1.3, TLS 1.2 and earlier versions on all mainstream platforms including .NET Framework 3.5 on Windows 7 (or on Windows XP SP3 with a plugin). SHA-2, SNI, AES/GCM, Chacha20/Poly1305 and other modern TLS features are supported as well.

The new library is available as a standalone package or as a part of Rebex Total Pack.

Detailed list of changes:

  • All: Binaries targeting .NET Standard 2.0 now support Xamarin.Android and Xamarin.iOS.
  • All: Deprecated binaries targeting .NET Standard 1.5, Xamarin.Android and Xamarin.iOS.
  • All: Fixed several occurences of culture-sensitive string formatting.
  • All: Fixed several occurrences of wrong synchronization context.
  • All: Mainstream edition no longer supports .NET Framework 2.0/3.0 and .NET Core 1.0/1.1.
  • SSH: Added full support for Elliptic Curve Diffie-Hellman (ECDH) on Windows 10, Windows Server 2016 and Windows Server 2019.
  • SSH: Added support for 'curve25519-sha256' key exchange cipher (equivalent to already-supported 'curve25519-sha256@libssh.org').
  • SSH: Enhanced performance of ChaCha20-Poly1305 cipher ('chacha20-poly1305@openssh.com') in SSH client.
  • SSH: Fixed possible deadlock in SSH client when processing incoming EOF packet while waiting for remote receive buffer size to increase.
  • TLS Core: Added asynchronous methods to TlsSocket base class.
  • TLS Core: Added SetSymmetricCipherSuites/GetSymmetricCipherSuites methods to configure enabled TLS 1.3 cipher suites.
  • TLS Core: Added support for ChaCha20-Poly1305 cipher suites to TLS 1.3 and 1.2.
  • TLS Core: Fixed behavior of TlsSocket methods after Dispose has been called.
  • TLS Core: Fixed behavior of TlsSocket.Shutdown.
  • TLS Core: Improved argument checks in TlsSocket base class.
  • TLS Core: Improved multi-pass parsing of the TLS 1.3 records.
  • TLS Core: Many optimizations in TLS 1.3 core.
  • TLS: Initial release of a stand-alone Rebex TLS library.
  • Cryptography: Added full support for Elliptic Curve Diffie-Hellman (ECDH) on Windows 10, Windows Server 2016 and Windows Server 2019.
  • Cryptography: Added native support for ECDH with X25519 curve on Windows 10, Windows Server 2016 and Windows Server 2019.
  • Common: Internal optimizations.