-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
investigate TLS13 on MacOS #1979
Comments
It seems like we will need to rewrite PAL to use new Network framework API. https://mailarchive.ietf.org/arch/msg/tls/5QjzTilqjomSyzENtgfaAqQOhbA/ |
Triage: Will require PAL rewrite on Mac -- out of scope of 5.0. |
Is this still current? In a .NET 6 console app with macOS 12.3 against a host that only seems to support TLS 1.3, I still get the same stacktrace as above. .NET info:
.NET SDK (reflecting any global.json):
Version: 6.0.201
Commit: ef40e6aa06
Runtime Environment: Host (useful for support): .NET SDKs installed: .NET runtimes installed: |
Not to add pressure, but I am more and more encountering TLS 1.3-only systems. This is especially true for internal, greenfield APIs that companies build, since they can "start secure" from the beginning. Any work around (such leveraging OpenSSL as is done in Linux) would be tremendously helpful. |
Is there need for client, server or both? I was thinking about some fallback because to allow HTTP2 for macOS developers (#27727) We generally do that for HTTP3/Quic (preview in 6.0) so we have some parts already in a place. if we go down this path, it would probably be opt-in feature with dependency on OpenSSL from Brew/MacPorts. Would that be acceptable? |
@wfurt client in my case. macOS as a server is uncommon. But server might still be useful (if less important) for developers who run Kestrel on a Mac? |
And yes, the server part would be for Mac developers (like me). Production deployment of Kestrel on macOS is unlikely IMHO. Just to elaborate more since the use case here is different from #27727. Aside testing and support, the biggest challenge with using OpenSSL on macOS is integration with keychain and certificate management. Using Apple's AP allows to use private keys that are non-exportable and private keys are not in core dumps. And Apple packages LibreSSL instead of OpenSSL and that is not binary compatible. So dependency management is going to be hard. The new Apple's api makes it very difficult (and maybe impossible) for |
@wfurt sorry for not being more clear. This is for clients. As a client, not being able to make encrypted connections to TLS 1.3-only services/servers is by far the bigger issue. I'm finding companies start a new green-field API or service, and configure it to only use TLS 1.3. Writing .NET code that can talk to services configured like this will only grow with time. At this point I'm literally shelling out from .NET to run "ncat + openssl" via the |
ok. thanks for the feedback @bhoffman-splunk and @chucker. I'm not sure if this fits to 7.0 but I'll try to take another look and I'll sync up with with @filipnavara. |
I am gonna be away for the next week but happy to discuss it when I get back. |
(Of note, current .NET 6 won't do TLS 1.3 on macOS. Like, at all. See dotnet/runtime#1979) Minor other changes fixed an error in ExtensionType enum
Hi, are there any plans on supporting TLS 1.3 on macOS in future .NET releases? Our usecase is that we have customers with 10s of thousands of users using our software (.NET 6) on their macOS. The server side is deployed on a Windows Server which has only TLS 1.3 enabled. The software deployed on workstations currently cannot communicate with the server side due to the TLS 1.3 requirement. |
triage: we should investigate for 8.0 |
Here's a link to the example on how to "misuse" the framer API in Network.framework to perform client-side TLS: https://gist.github.com/filipnavara/d5fb55bdb5edcceb1981f73078b855c4 (I'll be happy to answer any questions about it once I get back from holiday at the beginning of December.) |
Hi there, |
It is on 9.0 wish list for me. We simply run out of time in 8.0 and it is not trivial effort. Based on prototypes from @filipnavara it should be doable at least for the client side. While not ideal I would be OK for me doing only half for now - just to make some progress. ALPN was like that for a while until #27727 plugged server side in 8.0. But in the mean time HttpClient (and others) could connect to HTTP/2 servers. |
Triage: big effort, unclear implementation direction (the new API does not make it easy to get TLS messages in a buffer so that we can push them to the provided inner stream ourselves). But would be great for platform compatibility. |
Its 2024, and we still can't call TSL1.3 APIs? |
We are writing troubleshooting utility in .NET to verify our app can correctly connected using IPv4 and IPv6 and using different TLS protocols. On macOS the app reports only TLS v1.2 connection. Will TLS 1.3 really be ready in .NET 9? |
It is still high on the priority list. However, it is not clear if it is even doable because of Apple's new AI shape. |
Does anybody have a workaround for this problem that works in combination with HttpClient and consumes TLS 1.3 APIs? |
you would need TLS terminating proxy @pmauchle. It is probably doable but tricky. I really wish we can make progress but realistically we don't have resources to get it done in 9. |
It seems like on Catalina TLS1.3 works out of the box - at least with Safari.
However, when I try to use in .NET I get the following error:
This may be because API we currently use is marked as obsolete or there may be something missing since TLS1.3 support got out before Catalina. And all TLS1.3 tests are disabled on all versions of MacOS.
related to #1720
The text was updated successfully, but these errors were encountered: