7.0.8865 #

(build 8865 from 2024-04-08)

Maintenance release

This is a maintenance release that brings several enhancements and resolves some issues.

Detailed list of changes:

• SSH: SshPublicKey.LoadPublicKeys reads comments and does not fail on empty files.
• TLS Core: Added option to disable ClientHello padding. Added option to enable legacy SCSV mode.
• TLS Core: Fixed potential repeated clean-up of TLS extensions that might cause strange exceptions in the following TLS connection.
• Cryptography: Added support for loading private keys in new OpenSSH key format encrypted using AES/GCM or ChaCha20/Poly1305.

7.0.8816 #

(build 8816 from 2024-02-19)

Maintenance release

This is a maintenance release with enhancements in the shared functionality.

R6.15 available as well

For customers who have not yet upgraded to version 7 of Rebex libraries, we published the R6.15 update with all the important fixes. Version R6.x will be supported until November 2024.

Detailed list of changes:

• SSH: Added SshCipher.StrictKeyExchange and SshServerInfo.​SupportsStrictKeyExchange properties.
• SSH: Added SshPrivateKey.​CreateFrom(PrivateKeyInfo) method.
• SSH: Added support for a combination of password and keyboard-interactive authentication.
• SSH: Improved SSH session and channel lifecycle logging.
• SSH: Using lower local SSH channel numbers for better log readability.
• TLS Core: Fixed invalid TLS 1.3 behavior for rare Poll/Receive call sequence on TlsSocket.
• TLS Core: Fixed possible deadlock in Receive or Poll methods when additional incomplete packet is received after close_notify in TLS 1.2 or earlier.
• Cryptography: Added low-level API for loading/saving PrivateKeyInfo with byte[] passwords.
• Cryptography: Added ObjectIdentifier.Encode method.
• Cryptography: Added support for loading PKCS #8 private keys with legacy RC4 algorithm.
• Cryptography: Added UseDer property to SignedData and EnvelopedData classes.
• Cryptography: PrivateKeyInfo.Save now uses SHA-2 instead of SHA-1 in PKCS #8 format with PBKDF2 derivation.
• Cryptography: Reduced memory footprint of CNG API interop layer.

7.0.8755 #

(build 8755 from 2023-12-20)

Improved Native AOT compatibility

This update improves compatibility with .NET 8's Native AOT deployment model, which makes it possible to compile applications to native code ahead-of-time (AOT). Most common features should already work in Native AOT mode.

Detailed list of changes:

• All: Improved compatibility with Native AOT in .NET 8.
• SSH: Added support for PKCS #8 format to SshPublicKey constructor.
• SSH: Added support for strict key exchange extension (thwarts the so-called 'Terrapin attack').
• Common: Optimized memory usage of miscellaneous methods.

7.0.8720 #

(build 8720 from 2023-11-15)

Support for .NET 8!

This release adds a new set of binaries targeting .NET 8. It supports all .NET 8 platforms:

• Windows (x64, x86, ARM64)
• Linux (x64, ARM32, ARM64)
• macOS (x64)
• Android
• iOS/tvOS

Detailed list of changes:

• All: Added a new set of binaries targeting .NET 8.0.
• SSH: Added SshParameters.ChannelCloseTimeout property.
• TLS: Fixed reload of available named groups in TlsServerSocket.
• TLS: For TLS 1.3, TlsClientSocket.Session returns a session represented by the last received PSK ticket.
• TLS: For TLS 1.3, TlsServerSocket.Session returns a session that represents the PSK ticket (if used).
• Cryptography: Fixed behavior of certificate issuer API when no CRLs have been specified.

7.0.8657 #

(build 8657 from 2023-09-13)

Maintenance release

This is a maintenance release that fixes minor issues.

Detailed list of changes:

• Networking: Fixed handling of IPv6 addresses in square brackets.
• SSH: Fixed behavior of Certificate flag in SshParameters.HostKeyAlgorithms.

7.0.8581 #

(build 8581 from 2023-06-29)

First 7.0.* release!

This is the first release of 7.0.* series. It no longer uses the 'Rx.y' naming scheme, which was somewhat confusing.

The R6.x series will be supported until November 2024 and will receive fixes and security updates.

AesGcm and ChaChaPoly1305 moved to Rebex.Security

AesGcm and ChaChaPoly1305 classes were moved from Rebex.Common assembly to Rebex.Security. If you are using these classes and don't have a Rebex Total Pack or Rebex Security license, please let us know.

Support for Ed25519 certificates in TLS 1.2

X.509 certificates based on Ed25519 asymmetric algorithm are now supported with TLS 1.2 as well. Previously, they were only supported with TLS 1.3.

Support for modular Diffie-Hellman (FFDHE) in TLS 1.3

Although TLS 1.3 is usually used with Elliptic Curve Diffie-Hellman, it supports classic Diffie-Hellman as well.

Lot of TLS improvements

This release brings lot of small improvements in TLS that aims to make our TLS library up-to-date and as compatible as possible. Check out the release notes below for details.

Detailed list of changes:

• Networking: Added SslSettings.SslRenegotiationMode option.
• Networking: No longer sending default domain in SSPI requests by defalt. Added SslSettings.UseDefaultDomain property.
• SSH: Added SshPublicKey.Parse method and a new overload for SshPublicKey.LoadPublicKeys.
• SSH: Added support for ECDH and ECDSA with secp256k1 curve ('ecdh-sha2-1.3.132.0.10' and 'ecdsa-sha2-1.3.132.0.10').
• SSH: Added support for SSH agents (OpenSSH agent and Pageant).
• SSH: Preferring ChaCha20/Poly1305 on platforms with HW intrinsics support.
• TLS Core: Added public API for TLS 1.3 and TLS 1.2 signature algorithms.
• TLS Core: Added public API for TLS 1.3 named groups and pre-shared key exchange modes configuration.
• TLS Core: Added support for Ed25519 in TLS 1.2 (already supported in TLS 1.3).
• TLS Core: Added support for modular Diffie-Hellman (FFDHE) in TLS 1.3.
• TLS Core: ClientHello is padded to 512 bytes to work around strange bugs in the erroneous TLS implementation on some servers.
• TLS Core: Disable client-initiated TLS renegotiation by default.
• TLS Core: Enabled ChaCha20/Poly1305 ciphers by default on .NET Core 3.1 / .NET 5 or higher.
• TLS Core: Changed the default order of cipher suites in ClientHello to more closely align with the best practices of the industry.
• TLS Core: In TLS 1.2, support for Renegotiation Indication Extension is annonced using renegotiation_info extension.
• TLS Core: The default selection of TLS 1.2 elliptic curves has been altered to more closely align with the best practices of the industry.
• TLS Core: TlsServerSocket now honors TlsOptions.DoNotCacheSessions flag when TLS 1.3 is negotiated.
• TLS Core: Updated default TLS 1.2 cipher preference order. Disabled 3DES by default. Added TlsCipherSuite.Common value.
• TLS: Added API for TLS channel binding.
• TLS: Added support for multiple certificate chains in TlsServerSocket.​TlsClientHelloReceivedEventArgs.​
• Cryptography: Added API for CRL distribution endpoints with multiple CRL entries.
• Cryptography: Added Certificate.Bind methods.
• Cryptography: Added CertificateStoreName.WebHosting enum value.
• Cryptography: Added CertificateStoreOpenFlags and corresponding CertificateStore constructors.
• Cryptography: AesGcm and ChaChaPoly1305 classes moved from Rebex.Common assembly to Rebex.Security.
• Cryptography: Certificate.Extensions collection is now read-only.
• Cryptography: Deprecated EncryptValue/DecryptValue methods in RSAManaged class.
• Cryptography: Fixed visibility of CertificateException legacy serialization constructor.
• Cryptography: Improved loading of Y-less legacy DSA keys in FIPS-only mode on .NET 6/7 in Windows.
• Common: Optimized internal Task.Run methods on old platforms.
• Common: Optimized internal WhenAll/WhenAny Task combinators on old platforms.

R6.14 #

(version 6.0.8580 from 2023-06-28)

Maintenance release

This is a maintenance release with enhancements in the shared functionality.

Detailed list of changes:

• All: Fixed problems in finalizer logic.
• SSH: Fixed missing end-of-lines in new OpenSSH key format.
• Cryptography: Fixed support for ECDSA private key formats with optional public key.

R6.13 #

(version 6.0.8558 from 2023-06-06)

Maintenance release

This is a maintenance release that brings several enhancements and resolves some issues.

Detailed list of changes:

• Networking: Added support for IPv6 addresses to SOCKS5 proxy (client-side).
• Networking: Added workaround for systems where System.​Net.​Sockets.​Socket.​RemoteEndPoint does not work properly.
• Networking: Fixed formatting of IPv6 addresses for HTTP CONNECT proxies.
• Networking: Using 'Proxy-Connection' header instead of 'Connection' with HTTP CONNECT proxies.
• TLS Core: Disabled workaround for DHE padding bug in old versions of MS Schannel.
• TLS Core: Fixed server-side TLS curve selection on end-of-life platforms.
• TLS: TLS handshake extensions are always sent in the same order.
• Cryptography: Fixed lifecycle of AsymmetricKeyAlgorithm based on RSA CSP.
• Cryptography: Improved support for SignatureHashAlgorithm.MD5SHA1 in .NET 5 and higher in FIPS-only mode.

R6.12 #

(version 6.0.8509 from 2023-04-18)

Maintenance release

This is a maintenance release that brings several enhancements and resolves some issues.

Detailed list of changes:

• SSH: Added workaround for an issue in 'srt SSH Server' that makes it reject RSA/SHA-2 public key authentication attempts.
• SSH: Fixed handling of SSH2 PUBLIC KEY quotation marks in SshPublicKey.
• SSH: Fixed handling of user name when performing single sign-on in .NET Core and .NET 5/6/7.
• TLS Core: Fixed client-side TLS cipher suite check and server-side TLS cipher selection.
• TLS Core: Fixed checking of selected elliptic curves.
• TLS Core: Fixed memory leak in server-side TLS session cache.
• Common: Fixed rare race condition in scheduled action infrastructure.

R6.11 #

(version 6.0.8432 from 2023-01-31)

Maintenance release

This is a maintenance release that brings several enhancements and resolves some issues.

Detailed list of changes:

• Networking: Comment is no longer ignored when loading SSH2 public key into SshPublicKey.
• SSH: Fixed occasional StackOverflowException in SSH tunnel code (thrown when a large batch of consecutive asynchronous IO operations completes synchronously).
• TLS Core: Fixed handling of missing close_notify message in TLS 1.2 or earlier.
• Cryptography: Fixed CRL retrieval for certificate with multiple CRL distribution endpoints.
• Common: Fixed potential premature release of an unmanaged buffer in SSPI interop code.
• Common: Improved compatibility with Windows 2000.

R6.10 #

(version 6.0.8372 from 2022-12-02)

Maintenance release

This is a maintenance release that brings several enhancements and resolves some issues.

Detailed list of changes:

• SSH: Added workaround for an issue in Azure Blob Storage SFTP that makes it reject RSA/SHA-2 public key authentication attempts.
• TLS Core: Fixed TlsParameter.AcceptableAuthorities handling (can specify an empty list).
• TLS: Added TlsOptions.DisableRenegotiation and TlsOptions.​RequireSecureRenegotiation.​
• Cryptography: Added workaround for broken X25519 implementation in early versions of Windows 10 (version 1507 and 1511).
• Common: Fixed Windows Extended Protection in 64-bit Windows applications.

R6.9 #

(version 6.0.8348 from 2022-11-08)

Support for .NET 7!

This release adds a new set of binaries targeting .NET 7. It supports all .NET 7 platforms:

• Windows (x64, x86, ARM64)
• Linux (x64, ARM32, ARM64)
• macOS (x64)
• Android
• iOS/tvOS

Detailed list of changes:

• All: Added a new set of binaries targeting .NET 7.
• Cryptography: Fixed SHA-2 support on pre-SP3 versions of Windows XP.

R6.8 #

(version 6.0.8334 from 2022-10-25)

Optimized CPU and memory usage in TLS 1.3

Rebex TLS 1.3 core has been further optimized on all supported platforms.

SSE2 implementation of ChaCha20

Last year, we introduced a very fast AVX2 implementation of ChaCha20 encryption cipher. However, some older or mobile CPUs lack AVX2 support, and this is where the new SSE2 implementation will become useful and improved performance of ChaCha20/Poly1305 in TLS and SSH. (Just like AVX2, the new SSE2 implementation is only available on .NET Core 3.1 and .NET 5/6.)

Detailed list of changes:

• Networking: Improved timeout handling during TCP connect.
• TLS Core: Fixed handling of incomplete TLS 1.3 records.
• TLS Core: Further optimized TLS 1.3 core.
• TLS Core: Improved handling of invalid TLS 1.3 session tickets (PSKs).
• TLS Core: Reduced memory footprint and CPU usage of TLS 1.3.
• Cryptography: Added SSE2 implementation of ChaCha20 for .NET 5.0 or higher.

R6.7 #

(version 6.0.8314 from 2022-10-05)

Fixed code signing (broken by DigiCert)

From September 14^th to September 22^nd, 2022, DigiCert's timestamping authority mistakenly issued a TSA certificate with a validity period of only one year. Unfortunately, this mistake means that code-signed Rebex assemblies from R6.6 release will no longer pass validation after February 28^th, 2024.

Therefore, Rebex customers should upgrade from R6.6 as soon as possible to take advantage of the new TSA certificate's full 11-year validity period.

Detailed list of changes:

• All: This release is properly code-signed again. TSA certificate validity was too short in R6.6 due to DigiCert's mistake.
• SSH: Added workaround for SSH servers that claim to prefer 'ssh-rsa' for client public key authentication.
• Cryptography: Added Rebex.Common.Validator assembly.

R6.6 #

(version 6.0.8295 from 2022-09-16)

Maintenance release

This is a maintenance release with enhancements in the shared functionality.

Detailed list of changes:

• SSH: Added new constructors to SshPrivateKey/SshPublicKey classes that accept AsymmetricKeyAlgorithm.
• SSH: Added support for ECDSA to SshPrivateKey(AsymmetricAlgorithm) constructor (on .NET Core 3.1 or higher).
• SSH: Fixed rare NullReferenceException when closing an SshSession.
• TLS Core: Added support for Windows Extended Protection (only available on Windows).
• Cryptography: Added GetPrivateKeyAlgorithm/​GetPublicKeyAlgorithm methods to Certificate class.

R6.5 #

(version 6.0.8232 from 2022-07-15)

TLS 1.2 improvements

Added support for TLS extended master secret extension (RFC 7627) and fixed several issues.

Detailed list of changes:

• SSH: Added support for 'server-sig-algs' SSH extension (RFC 8332).
• SSH: Improved logging of 'partial success' authentication responses.
• TLS Core: Added support for TLS extended master secret extension (RFC 7627).
• TLS Core: Fixed handling of NoRenegotiation alert.
• TLS Core: Fixed rare race condition when closing TLS 1.2 socket.
• TLS: Fixed Renegotiate() in TlsClientSocket/TlsServerSocket.
• Common: Improved internal asynchronous infrastructure for old platforms.

R6.4 #

(version 6.0.8181 from 2022-05-25)

Support for .NET 6.0 on Android and iOS

Support for mobile platforms in .NET 6.0 has finally arrived, slightly masquaraded as .NET MAUI. Rebex libraries now support these new platforms as well.

Optimized AEAD ciphers in TLS

ChaCha20/Poly1305 and AES/GCM ciphers have been slightly optimized on all platforms.

Optimized CPU usage in TLS 1.3

Rebex TLS 1.3 core has been further optimized for this release.

Detailed list of changes:

• All: Added support for .NET 6.0 on Android.
• All: Added support for .NET 6.0 on iOS.
• SSH: Fixed behavior of TryPasswordFirst option with servers that support 'publickey' and 'keyboard-interactive' but not 'password'.
• SSH: Optimized AEAD ciphers in SSH.
• TLS Core: Optimized AEAD ciphers in TLS.
• TLS Core: Optimized CPU usage in TLS 1.3 data flow.
• TLS Core: Optimized scenario when the remote party requires TLS 1.2 (or lower TLS version) and TLS 1.3 is enabled.
• TLS Core: Optimized TLS 1.3 key derivation functions.
• Cryptography: Added support for NTLM plugin for non-Windows platforms.
• Cryptography: Added workaround for buggy RSACryptoServiceProvider in .NET 6.0 on Android.
• Cryptography: Enhanced workarounds for slightly misbehaved certificate validator in .NET 6.0 on Android.
• Cryptography: Fixed exporting of DSA keys on Windows XP SP3.
• Cryptography: Optimized ChaCha20Poly1305 internals.
• Cryptography: Optimized internal AEAD interfaces.
• Cryptography: Working around RSA private key access issue in .NET 6.0 on Android.
• Common: Improved inner exception rethrow logic on .NET Framework 3.5/4.0.
• Common: Optimized internal data buffer methods.

R6.3 #

(version 6.0.8123 from 2022-03-28)

Maintenance release

This is a maintenance release that brings several enhancements and resolves some issues.

Detailed list of changes:

• Networking: Added ProxySocket.Bind(Socket) protected method to allow more customization.
• SSH: Improved workaround for very old versions of Bitvise server that don't properly handle SSH channel closing.
• TLS Core: Added TlsSocket.CloseAsync method (alias for DisposeAsync method).
• TLS Core: Fixed occasional (rare) premature termination of the TLS connection when a remote party does not support TLS 1.3.
• TLS Core: Improved protocol mismatch detection.
• TLS Core: Optimized asynchronous Send/Receive operation in TLS 1.3.
• Cryptography: Improved Poly1305 internals.
• Cryptography: Slightly optimized encrypt/decrypt operations in symmetric branch of the CNG/BCrypt interop layer.
• Cryptography: Small optimization in ARM (Advanced NEON SIMD) implementation of ChaCha20.
• Common: Fixed rare premature finalization of a buffer in SSPI interop that might lead to an AccessViolationException.
• Common: Improved internal asynchronous infrastructure.

R6.2 #

(version 6.0.8060 from 2022-01-24)

Maintenance release

This is a maintenance release that brings several enhancements and resolves some issues.

Detailed list of changes:

• Networking: Fixed timeout handling during name resolution.
• TLS Core: Fixed handling of TLS 1.3 signature_algorithms_cert extension.
• TLS Core: Optimized temporary object usage in TLS 1.3 Send/Receive metods.
• Cryptography: Fixed releasing of CNG handles in AES/GCM interop (issue only present in R6.1 on Windows).

R6.1 #

(version 6.0.8044 from 2022-01-08)

Maintenance release

This is a maintenance release that brings several enhancements and resolves some issues.

Detailed list of changes:

• All: Fixed compatibility of Rebex binaries for .NET Framework 4.0 with ASP.NET 4.5 or higher.
• TLS Core: Optimized receive operation in TLS 1.3.
• TLS Core: Slight optimizations in TLS 1.3 on modern platforms.
• Cryptography: Caching of CNG algorithm provider handles.
• Cryptography: Fixed Certificate.​GetSignatureHashAlgorithm() for certificates signed by Ed25519 authorities.
• Cryptography: Fixed unmanaged resource leak in CertificateStore.
• Cryptography: Optimized symmetric branch of Windows CNG (BCrypt) interop layer.

R6.0 #

(version 6.0.8000 from 2021-11-25)

Support for .NET 6.0!

This release adds a new set of binaries targeting .NET 6.0. It supports all .NET 6.0 platforms:

• Windows (x64, x86, ARM64)
• Linux (x64, ARM32, ARM64)
• macOS (x64)

Please note that support for Android and iOS/tvOS in .NET 6.0 is still in preview mode. We will fully support these platforms as soon as the corresponding .NET 6.0 update is published.

TlsStream(Stream) constructor

TlsStream class now features a new Stream-based constructor, making it possible to implement TLS 1.3/1.2 on top of any suitable (readable/writable) Stream.

Detailed list of changes:

• All: Added a new set of binaries targeting .NET 6.0.
• All: Removed several obsolete and deprecated APIs.
• All: Removed support for legacy ISerializable interface from binaries for .NET Standard.
• SSH: Added support for SSH key algorithms based on ECDSA X.509 certificates (RFC 6187).
• TLS: Added TlsStream(Stream) constructor.

R5.7 #

(version 5.0.7999 from 2021-11-24)

Support for .NET 6.0 and Windows 11

Windows 11 is now a supported platform.

Rebex assemblies targeting .NET Standard 2.1 now support .NET 6.0.

Support for PuTTY PPK3 key format

SshPrivateKeyclass, PrivateKeyInfo class and Certificate.SavePrivateKey method now support PuTTY's new PPK version 3 private key format.

Improved TLS 1.3 performance

We made a number of optimizations in the TLS 1.3 core, which increased speed and decreased CPU usage.

Detailed list of changes:

• All: Added support for .NET 6.0 on Windows, Linux and macOS.
• All: Added support for Windows 11.
• SSH: Added support for PuTTY PPK3 format to SshPrivateKey.
• SSH: Added support for 'x509v3-rsa2048-sha256' SSH key algorithm (RSA X.509 certificates, RFC 6187).
• SSH: Added workaround for a server with broken SSH window size handling logic.
• SSH: Fixed handling of oversized data packets from servers with broken window size.
• TLS Core: Improved TLS 1.3 performance.
• TLS: Enabled TLS 1.3 by default in TlsStream class.
• Cryptography: Added more values to X.509 RevocationReason enum.
• Cryptography: Added support for private keys in PuTTY PPK3 format (uses Argon2 key derivation function).
• Cryptography: Added workaround for Google's CRLs with non-constructed explicit ASN.1 nodes.

R5.6 #

(version 5.0.7970 from 2021-10-26)

Support for .NET 6.0 RC2

Rebex assemblies targeting .NET Standard 2.1 have been fully tested on .NET 6.0 RC2 and are suitable to be used in production on Microsoft's latest .NET platform ahead of the official release.

Maintenance release

This is a maintenance release with enhancements in the shared functionality.

Detailed list of changes:

• All: Added support for .NET 6.0 RC2.
• TLS Core: Fixed possible NullReferenceException in TLS 1.2 socket after it has been closed.
• TLS Core: Improved handling of exceptions in TlsSocket.Send method.
• Cryptography: Fixed handling of RSAParameters without DP/DQ in AsymmetricKeyAlgorithm and PrivateKeyInfo.
• Cryptography: Fixed loading of encrypted keys with empty passwords in new OpenSSH format.
• Cryptography: Small optimization in AVX2 implementation of ChaCha20.

R5.5 #

(version 5.0.7900 from 2021-08-17)

New binaries for .NET Core 3.1

We added a new set of binaries targeting .NET Core 3.1. We have already been supporting that platform since 2019 via .NET Standard 2.1. However, the new set of binaries utilizes .NET Core's hardware intrinsics API and features our fast ChaCha20/Poly1305 implementation that has been previously only available on .NET 5.0.

For an overview of available binaries and supported platforms, check out Rebex Support Lifecycle KB article.

Detailed list of changes:

• All: Added 'netcoreapp3.1' binaries.
• All: Fixed compatibility with UWP and .NET Native compiler.

R5.4 #

(version 5.0.7888 from 2021-08-05)

Fixed parsing of TLS 1.3 Certificate messages

This release fixes parsing of TLS 1.3 Certificate handshake message spanning more than two records.

Detailed list of changes:

• Networking: Fixed casing in 'Basic' HTTP proxy authorization header.
• TLS Core: Fixed parsing of TLS 1.3 Certificate handshake message spanning multiple records.
• Cryptography: Fixed Certificate.FriendlyName setter in .NET 5.0 on non-Windows platforms.

R5.3 #

(version 5.0.7840 from 2021-06-18)

Fixed FIPS-mode detection in .NET 4.8

This release fixes an issue in FIPS-mode detection routine that was not working properly in applications targeting .NET Framework 4.8 due to a change in the framework's behavior. This only affects applications targeting .NET Framework 4.8. Applications targeting earlier framework versions do not suffer from this issue even when running on .NET Framework 4.8.

If your application targets .NET Framework 4.8 and is supposed to honor system-wide FIPS mode settings, either upgrade to this release, or set Rebex.Security.Cryptography.CryptoHelper.UseFipsAlgorithmsOnly to System.Security.Cryptography.CryptoConfig.AllowOnlyFipsAlgorithms in your application's startup code.

Detailed list of changes:

• SSH: Fixed race condition in OpenSSH-style compression startup code (occasionally caused connection failures during authentication with SSH compression was enabled).
• TLS Core: Added SslSettings.​SetPreferredSuites/​GetPreferredSuites methods to make it possible to specify client-side TLS cipher preference.
• TLS Core: Improved logging when remote party does not support TLS 1.3.
• TLS Core: Optimized TlsSocket.Negotiate method when TLS 1.3 is enabled but not supported by the remote side.
• TLS Core: Prevented 'unobserved' exceptions in task-based TLS 1.2 core.
• Cryptography: Added support for private keys using PBKDF2 with HMAC/SHA-2 (RFC 8018 / PKCS #5 v2.1).
• Cryptography: Fixed detection of FIPS-only systems on .NET Framework 4.8.
• Cryptography: Optimized creation of algorithm objects in CNG layer.

R5.2 #

(version 5.0.7800 from 2021-05-09)

New ChaCha20Poly1305 class

This release features the new ChaCha20Poly1305 class that implements the 'combined mode' AEAD cipher consisting of ChaCha20 stream cipher and Poly1305 authenticator, as specified by RFC 7539.

Faster ChaCha20/Poly1305 on older platforms

We further improved performance of ChaCha20/Poly1305 in TLS and SSH on older platforms. It's not as fast as our .NET 5.0 implementation using AVX2 or Advanced NEON SIMD, but it's faster than ever before.

Detailed list of changes:

• Networking: Added support for SOCKS5 servers that respond with domain name.
• SSH: Optimized usage of ChaCha20/Poly1305 in SSH.
• Cryptography: Added ChaCha20Poly1305 class that implements ChaCha20/Poly1305 with an API that resembles .NET's AesGcm class.
• Cryptography: Added support for loading of ECDSA certificates from PFX/P12 files in .NET 5.0 and .NET Standard 2.1 on Linux and macOS.
• Cryptography: Added support for saving to PFX/P12 files for certificates with temporarily associated private keys in .NET 5.0 and .NET Standard 2.1 on Linux and macOS.
• Cryptography: AVX2 implementation of ChaCha20 releases old pre-generated keystream immediately after reinitialization.
• Cryptography: Clearing output data in AesGcm class when authentication tag is invalid.
• Cryptography: Fixed parsing of Cryptographic Message Syntax envelopes with unsupported OIDs.
• Cryptography: Improved ChaCha20/Poly1305 performance on .NET 3.5-4.6 and .NET Standard 2.x.
• Cryptography: Improved performance of AES/CTR ciphers (used in SSH).
• Common: Improved error handling when raising events via synchronization context.

R5.1 #

(version 5.0.7733 from 2021-03-03)

Simplified release naming

We decided to drop the year from our release naming scheme. Instead of '2020 R5.1', this release is called just 'R5.1', and the forthcoming releases will use the same 'R5.x' naming scheme until the next major upgrade.

Faster ChaCha20/Poly1305 in .NET 5.0

By utilizing AVX2 (on Intel/AMD) or Advanced NEON SIMD (on ARM) via .NET's new hardware intrinsics API in .NET 5.0, we made our ChaCha20/Poly1305 implementation in SSH and TLS much faster. On ARM64, ChaCha20/Poly1305 is now even faster than Windows native AES/GCM.

This release improves ChaCha20/Poly1305 performance on older platforms as well, although not by such a big margin.

Detailed list of changes:

• All: Changed release naming scheme ('R5.1' instead of '2020 R5.1').
• Networking: Added workaround for rare WSAEWOULDBLOCK error on Mono in Socket.Connect.
• Networking: More meaningful exception is throw when attempting to use HTTP CONNECT proxy with NTLM authentication on platforms that don't support it.
• Networking: Optimized timeout infrastructure in ProxySocket.Connect.
• SSH: Added workaround for WingFTPServer server that uses 'ssh-rsa' with SHA-2 when client announces RSA/SHA-2 support.
• SSH: Fixed format of SshPublicKey.GetPublicKey() response for public keys initialized from PublicKeyInfo or AsymmetricAlgorithm.
• SSH: Fixed handling of unknown channel requests (not sending reply if not requested).
• TLS Core: Added VerifyMessage signature algorithm logging in TLS 1.3.
• TLS Core: Close/Dispose method called on TLS 1.3 socket ensures that all outstanding IO operations are canceled before the control is returned to the caller.
• TLS Core: Fixed possible rare NullReferenceException when closing TLS 1.3 session.
• TLS Core: Synchronous methods on TlsSocket wrap TaskCanceledException to TlsException.
• Cryptography: Added workaround to Certificate.LoadDer method to enable loading of certificates in PKCS #7 containers.
• Cryptography: Enhanced implicit operator for conversion of Certificate->X509Certificate2 to retain private keys on non-Windows platforms as well.
• Cryptography: Fixed Ed25519 PKCS #8 key structure (now compatible with OpenSSL).
• Cryptography: Optimized memory usage in symmetric encryption transformations based on Windows CNG API.
• Cryptography: Substantial speed-up of ChaCha20/Poly1305 (used in SSH and TLS). Utilizing AVX2 or Advanced NEON SIMD on .NET 5.0 (if available).
• Common: Accelerated common byte array operations in .NET 5.0 on devices with AVX2 support.

2020 R5 #

(version 5.0.7620 from 2020-11-10)

Support for .NET 5.0!

This release adds a new set of binaries targeting .NET 5.0. It supports all .NET 5.0 platforms:

• Windows (x64, x86, ARM64)
• Linux (x64, ARM32, ARM64)
• macOS (x64)

Support for Ed25519 X.509 certificates in TLS 1.3

We added support for TLS 1.3 with X.509 certificates using Ed25519 algorithm (EdDSA on edwards25519 curve) to all Rebex libraries with TLS support.

However, due to limitations of .NET and all supported operating systems, a custom certificate validator is needed to validate Ed25519 certificates.

New AES/GCM API

Our new Rebex.Security.Cryptography.AesGcm class resembles .NET 5.0's class of the same name, but it's available on all supported platforms including .NET Framework 3.5/4.0 and Mono 5/6.

Detailed list of changes:

• All: Added support for .NET 5.0 on all platforms.
• TLS Core: Added support for X.509 certificates with Ed25519 keys to TLS 1.3.
• TLS Core: Improved exception messages in TLS 1.3.
• Cryptography: Added built-in support for Ed25519 algorithm.
• Cryptography: Added Rebex.Security.Cryptography.AesGcm class (equivalent to .NET 5.0's AesGcm class, but available on all platforms including .NET Framework 3.5).
• Cryptography: Added SetOtherNames/GetOtherNames methods to CertificateInfo class ('Other Name' support in SANs).
• Cryptography: AsymmetricKeyAlgorithm.ImportKey method can initialize Ed25519 key from seed (in addition to private key).
• Cryptography: AsymmetricKeyAlgorithm.Register method made thread-safe.
• Cryptography: Deprecated CryptoHelper.ForceManagedAes property.
• Cryptography: Enhanced compatibility with unsupported legacy versions of CryptoAPI.
• Cryptography: Enhanced SignedData.Load(Stream) and EnvelopedData.Load(Stream) methods to support Base64-encoded format (PEM) as well.
• Cryptography: Enhanced workaround for RSA CSPs with lack of SHA-2 support.
• Common: Added SspiAuthentication.IsSupported method.
• Common: Enhanced EncodingTools helper class to always provide Encodings with implemented HeaderName, EncodingName and BodyName properties.

2020 R4 #

(version 5.0.7579 from 2020-09-30)

Fully tested on .NET 5.0 RC1

Rebex assemblies targeting .NET Standard 2.1 have been fully tested on .NET 5.0 RC1 and are suitable to be used in production on Microsoft's latest .NET platform.

Maintenance release

This is a maintenance release with enhancements in the shared functionality.

Detailed list of changes:

• All: Fixed several minor compatibility issues on .NET 5.0 RC1.
• Networking: Restored missing NetworkSession.InstanceId property.
• TLS Core: Fixed concurrent access in server-side TLS session cache.
• TLS Core: Fixed normalization of premaster secret in server-side ECDH calculations in TLS 1.2 and earlier.
• TLS Core: Updated TlsCipherSuite.Secure/Weak/Fast enum values. Updated TlsParameters.AllowedSuite default.
• TLS: Added more AuthenticateAsClientAsync/​AuthenticateAsServerAsync overloads.
• Cryptography: Added Ed25519 support to Certificate class. (Not yet supported by the built-in certificate validator due to lack of support in Windows and .NET).
• Cryptography: Fixed handling of non-content data in Certificate(byte[]) constructor and CertificateChain.LoadP7b(Stream) / CertificateRevocationList.​Load(Stream) methods.
• Cryptography: Fixed parsing of constructed primitive ASN.1 types with more than two layers of nesting.
• Cryptography: Fixed version number in PKCS #10 CertificationRequest structure.
• Cryptography: Prohibited usage of Chacha20/Poly1305 in TLS 1.3 in FIPS-only mode. (Already prohibited in TLS 1.2 or earlier.)
• Cryptography: Updated RSAManaged constructor logic to make it suitable as a base for derived classes on .NET Framework in FIPS-compliant mode.
• Cryptography: Using Windows CNG API for Diffie-Hellman parameter generation on Windows 10 and Windows Server 2016/2019.
• Common: Optimized internal cancellation infrastructure on old platforms.
• Common: Removed usage of BinaryFormatter which has been found to be insecure.
• Common: Updated EncodingTools.GetEncoding method to prefer encodings provided by .NET.

2020 R3 #

(version 5.0.7501 from 2020-07-14)

Binaries for .NET Standard 2.1

We added a new set of binaries targeting .NET Standard 2.1. They are suitable for .NET Core 3.1 and .NET 5.0 Preview 6, on Windows, Linux and macOS.

For an overview of available binaries and supported platforms, check out Rebex Support Lifecycle KB article.

New TlsStream API

In addition to TlsClientSocket and TlsServerSocket, Rebex TLS now featues TlsStream class as well. Its API resembles .NET's SslStream, and it supports TLS 1.0-1.3 on all mainstream .NET platforms including .NET Framework 3.5 on Windows 7 (or even on Windows XP SP3 with a plugin).

Improved TLS core

This release brings enhancements, optimizations.

Detailed list of changes:

• All: Added binaries targeting .NET Standard 2.1.
• SSH: Enhanced legacy group exchange autodetection.
• TLS Core: Added TlsSocket.ApplicationProtocol property to make it possible to determine protocol negotiated using ALPN extension.
• TLS Core: Always preferring RSA/SHA-2 for client certificate authentication in TLS 1.2.
• TLS Core: Disabled ciphers based on AES/CBC and SHA-2 in legacy versions of TLS (they are only specified by TLS 1.2).
• TLS Core: Fixed availability of TLS 1.3 session tickets (client side).
• TLS Core: Fixed handling of multiple concurrent Receive or Send method calls in TLS 1.3.
• TLS Core: Fixed handling of TLS 1.3 KeyUpdate handshake message.
• TLS Core: Fixed server name handling for TlsSocket instances created from an already-connected Socket.
• TLS Core: Fixed TlsException.Status to return ConnectionClosed for connection-closed errors.
• TLS Core: Fixed TlsException.Status to return Timeout for timeout errors.
• TLS Core: Fixed TlsSocket.ClientCertificate that returned an empty chain instead of null in some scenarios.
• TLS Core: Improved error message when server certificate is rejected in TLS 1.3.
• TLS Core: Improved error messages in TLS 1.3.
• TLS Core: Logging improvements.
• TLS Core: No longer sending 'internal error' alert to remote end on timeout.
• TLS Core: Optimized TLS 1.3 internals.
• TLS Core: TLS 1.3 initiates key update properly (before the AEAD limits are reached).
• TLS Core: Unified behavior of the Receive and ReceiveAsync methods across TLS versions.
• TLS: Added DisposeAsync method to TlsSocket.
• TLS: Added server-side support for Application-Layer Protocol Negotiation (ALPN) extension (RFC 7301).
• TLS: Added TlsParameters.CertificateChainMode property.
• TLS: Added TlsStream class. Supports TLS 1.0-1.3 via Stream-based API.
• TLS: An error is reported when trying to use one of deprecated methods via TlsServerSocket.
• TLS: Fixed error messages reported on client certificate validation to properly refer to client certificate.
• TLS: Fixed error reporting when trying to use SSL 3.0 on Windows OS in FIPS-only mode.
• Cryptography: Fixed encoding of ECDSA signatures in PKCS #7 CertificationRequest structure.
• Cryptography: Memory usage optimizations in CNG layer.
• Cryptography: On Windows 10 and Windows Server 2016 or higher, Windows CNG API is used for classic Diffie-Hellman calculations instead of legacy Windows CryptoAPI.
• Cryptography: Optimized disposing of temporary keys in Certificate class.

2020 R2 #

(version 5.0.7450 from 2020-05-24)

Server-side TLS 1.3 support

Added TlsServerSocket class. Supports server-side TLS 1.3, 1.2, 1.1 and 1.0.

Detailed list of changes:

• SSH: Added new properties to SshCipher to make it possible to determine IDs of active ciphers.
• SSH: Added workaround for a weakness in legacy CBC ciphers.
• TLS Core: Enhanced TlsSocket.Timeout property to apply to subsequent Send, SendAsync, Receive and ReceiveAsync methods even when TLS is already active.
• TLS Core: Fixed availability of TLS 1.3 session ticket when the receive side of the connection has already been closed.
• TLS Core: Fixed behavior of server-side DoNotCacheSessions option (which previously led to connection failures).
• TLS Core: Fixed some cases of missing AggregateException unwrapping.
• TLS Core: Improved and unified behavior of TlsSocket Shutdown/ShutdownAsync methods when negotiation has not been started.
• TLS Core: Improved TLS exception reporting.
• TLS Core: Logging improvements.
• TLS Core: Optimizations in TLS 1.3 internals.
• TLS Core: Support for the TLS 1.3 record with empty application data payload and random padding.
• TLS Core: Unified TlsSocket.Cipher property behavior across TLS versions.
• TLS: Added TlsServerSocket class. Provides server-side TLS 1.3, 1.2, 1.1 and 1.0 support.
• TLS: Fixed TlsClientSocket.EndConnect method.
• Cryptography: Added ContentInfo.ToStream() method.
• Cryptography: Enhanced Certificate.LoadDerWithKey to support RSASSA-PSS and RSAES-OAEP for RSA keys.
• Cryptography: Fixed AsymmetricKeyAlgorithm.​GenerateDiffieHellmanParameters slowness (only affected the previous release).
• Cryptography: Improved AsymmetricKeyAlgorithm to support RSASSA-PSS and RSAES-OAEP with keys loaded via ImportKey method.
• Cryptography: Optimized Certificate and CertificateChain class to only consume native resources when needed.
• Cryptography: Optimized CNG handles cleanup.

2020 R1.1 #

(version 5.0.7390 from 2020-03-25)

Fixed several TlsClientSocket omissions

This version fixes several omissions and leftovers in the new TlsClientSocket class, mostly related to legacy parts of its API that have been retained from the existing TlsSocket class

Detailed list of changes:

• Networking: Fixed rare race condition in TLS and SSH internals.
• TLS Core: Fixed breaking changes in the behavior of seldom-used parts of TlsSocket API.
• TLS Core: Fixed handling of OperationCanceledException in TLS 1.3 core.
• TLS Core: Improved TLS logging.
• TLS: Added BeginNegotiate/EndNegotiate methods to TlsClientSocket class.
• TLS: Added support for TlsClientSocket.Available property.
• TLS: Fixed disabled BeginConnect/EndConnect on TlsClientSocket.
• TLS: Fixed TlsClientSocket's BeginSend/BeginReceive methods to use truly asynchronous implementation.
• Common: Added DiffieHellmanNative class to Rebex.Common.Native assembly (speeds up Diffie-Hellman calculations on Xamarin.Android).

2020 R1 #

(version 5.0.7357 from 2020-02-21)

New library: Rebex TLS

Rebex TLS is a low-level TLS client library. It supports TLS 1.3, TLS 1.2 and earlier versions on all mainstream platforms including .NET Framework 3.5 on Windows 7 (or on Windows XP SP3 with a plugin). SHA-2, SNI, AES/GCM, ChaCha20/Poly1305 and other modern TLS features are supported as well.

The new library is available as a standalone package or as a part of Rebex Total Pack.

Detailed list of changes:

• All: Binaries targeting .NET Standard 2.0 now support Xamarin.Android and Xamarin.iOS.
• All: Deprecated binaries targeting .NET Standard 1.5, Xamarin.Android and Xamarin.iOS.
• All: Fixed several occurences of culture-sensitive string formatting.
• All: Fixed several occurrences of wrong synchronization context.
• All: Mainstream edition no longer supports .NET Framework 2.0/3.0 and .NET Core 1.0/1.1.
• SSH: Added full support for Elliptic Curve Diffie-Hellman (ECDH) on Windows 10, Windows Server 2016 and Windows Server 2019.
• SSH: Added support for 'curve25519-sha256' key exchange cipher (equivalent to already-supported 'curve25519-sha256@libssh.org').
• SSH: Enhanced performance of ChaCha20-Poly1305 cipher ('chacha20-poly1305@openssh.com') in SSH client.
• SSH: Fixed possible deadlock in SSH client when processing incoming EOF packet while waiting for remote receive buffer size to increase.
• TLS Core: Added asynchronous methods to TlsSocket base class.
• TLS Core: Added SetSymmetricCipherSuites/​GetSymmetricCipherSuites methods to configure enabled TLS 1.3 cipher suites.
• TLS Core: Added support for ChaCha20-Poly1305 cipher suites to TLS 1.3 and 1.2.
• TLS Core: Fixed behavior of TlsSocket methods after Dispose has been called.
• TLS Core: Fixed behavior of TlsSocket.Shutdown.
• TLS Core: Improved argument checks in TlsSocket base class.
• TLS Core: Improved multi-pass parsing of the TLS 1.3 records.
• TLS Core: Many optimizations in TLS 1.3 core.
• TLS: Initial release of a stand-alone Rebex TLS library.
• TLS: Initial release of stand-alone Rebex TLS component.
• Cryptography: Added full support for Elliptic Curve Diffie-Hellman (ECDH) on Windows 10, Windows Server 2016 and Windows Server 2019.
• Cryptography: Added native support for ECDH with X25519 curve on Windows 10, Windows Server 2016 and Windows Server 2019.
• Common: Internal optimizations.