Https with TLS 1.2 in Xamarin

Question

I'm using HttpClient in Xamarin to request to https with TLS 1.2 and I got the error as below;

System.AggregateException: One or more errors occurred ---> System.Net.WebException: Error writing headers ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: The authentication or decryption has failed.
  at Mono.Security.Protocol.Tls.RecordProtocol.ProcessAlert (AlertLevel alertLevel, AlertDescription alertDesc) [0x00013] in ///Library/Frameworks/Xamarin.iOS.framework/Versions/8.9.1.3/src/mono/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/RecordProtocol.cs:574 
  at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback (IAsyncResult asyncResult) [0x000d0] in ///Library/Frameworks/Xamarin.iOS.framework/Versions/8.9.1.3/src/mono/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/RecordProtocol.cs:376 
  --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslClientStream.EndNegotiateHandshake (IAsyncResult result) [0x00035] in ///Library/Frameworks/Xamarin.iOS.framework/Versions/8.9.1.3/src/mono/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslClientStream.cs:425 
  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x0000c] in ///Library/Frameworks/Xamarin.iOS.framework/Versions/8.9.1.3/src/mono/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslStreamBase.cs:99 
  --- End of inner exception stack trace ---
  at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult) [0x0005e] in ///Library/Frameworks/Xamarin.iOS.framework/Versions/8.9.1.3/src/mono/mcs/class/System/System.Net/HttpWebRequest.cs:969 
  at System.Threading.Tasks.TaskFactory`1[System.Net.WebResponse].InnerInvoke (System.Threading.Tasks.TaskCompletionSource`1 tcs, System.Func`2 endMethod, IAsyncResult l) [0x00000] in /Developer/MonoTouch/Source/mono/mcs/class/corlib/System.Threading.Tasks/TaskFactory_T.cs:473 
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000b] in /Developer/MonoTouch/Source/mono/mcs/class/corlib/System.Runtime.ExceptionServices/ExceptionDispatchInfo.cs:62 
  at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1+ConfiguredTaskAwaiter[System.Net.WebResponse].GetResult () [0x00034] in /Developer/MonoTouch/Source/mono/mcs/class/corlib/System.Runtime.CompilerServices/ConfiguredTaskAwaitable_T.cs:62 
  at System.Net.Http.HttpClientHandler+<SendAsync>c__async0.MoveNext () [0x002d0] in /Developer/MonoTouch/Source/mono/mcs/class/System.Net.Http/System.Net.Http/HttpClientHandler.cs:338 
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000b] in /Developer/MonoTouch/Source/mono/mcs/class/corlib/System.Runtime.ExceptionServices/ExceptionDispatchInfo.cs:62 
  at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1+ConfiguredTaskAwaiter[System.Net.Http.HttpResponseMessage].GetResult () [0x00034] in /Developer/MonoTouch/Source/mono/mcs/class/corlib/System.Runtime.CompilerServices/ConfiguredTaskAwaitable_T.cs:62 
  at System.Net.Http.HttpClient+<SendAsyncWorker>c__async0.MoveNext () [0x000a9] in /Developer/MonoTouch/Source/mono/mcs/class/System.Net.Http/System.Net.Http/HttpClient.cs:273 
  --- End of inner exception stack trace ---
  at System.Threading.Tasks.Task.Wait (Int32 millisecondsTimeout, CancellationToken cancellationToken) [0x00049] in /Developer/MonoTouch/Source/mono/mcs/class/corlib/System.Threading.Tasks/Task.cs:709 
  at System.Threading.Tasks.Task.Wait () [0x00000] in /Developer/MonoTouch/Source/mono/mcs/class/corlib/System.Threading.Tasks/Task.cs:679 
  at System.Threading.Tasks.Task`1[System.Net.Http.HttpResponseMessage].get_Result () [0x0000b] in /Developer/MonoTouch/Source/mono/mcs/class/corlib/System.Threading.Tasks/Task_T.cs:48 
  at Cucumber.ViewModels.LoginViewModel+<ExecuteLoginCommand>c__async0.MoveNext () [0x00144] in /Users/bachpx1/FSBProjects/FsoftInternalNews/cucumber/xamarin_form/Cucumber/Cucumber.Shared/ViewModels/LoginViewModel.cs:94 
 --> (Inner exception 0) System.Net.WebException: Error writing headers ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: The authentication or decryption has failed.
  at Mono.Security.Protocol.Tls.RecordProtocol.ProcessAlert (AlertLevel alertLevel, AlertDescription alertDesc) [0x00013] in ///Library/Frameworks/Xamarin.iOS.framework/Versions/8.9.1.3/src/mono/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/RecordProtocol.cs:574 
  at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback (IAsyncResult asyncResult) [0x000d0] in ///Library/Frameworks/Xamarin.iOS.framework/Versions/8.9.1.3/src/mono/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/RecordProtocol.cs:376 
  --- End of inner exception stack trace ---
  at Mono.Security.Protocol.Tls.SslClientStream.EndNegotiateHandshake (IAsyncResult result) [0x00035] in ///Library/Frameworks/Xamarin.iOS.framework/Versions/8.9.1.3/src/mono/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslClientStream.cs:425 
  at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x0000c] in ///Library/Frameworks/Xamarin.iOS.framework/Versions/8.9.1.3/src/mono/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslStreamBase.cs:99 
  --- End of inner exception stack trace ---
  at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult) [0x0005e] in ///Library/Frameworks/Xamarin.iOS.framework/Versions/8.9.1.3/src/mono/mcs/class/System/System.Net/HttpWebRequest.cs:969 
  at System.Threading.Tasks.TaskFactory`1[System.Net.WebResponse].InnerInvoke (System.Threading.Tasks.TaskCompletionSource`1 tcs, System.Func`2 endMethod, IAsyncResult l) [0x00000] in /Developer/MonoTouch/Source/mono/mcs/class/corlib/System.Threading.Tasks/TaskFactory_T.cs:473 
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000b] in /Developer/MonoTouch/Source/mono/mcs/class/corlib/System.Runtime.ExceptionServices/ExceptionDispatchInfo.cs:62 
  at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1+ConfiguredTaskAwaiter[System.Net.WebResponse].GetResult () [0x00034] in /Developer/MonoTouch/Source/mono/mcs/class/corlib/System.Runtime.CompilerServices/ConfiguredTaskAwaitable_T.cs:62 
  at System.Net.Http.HttpClientHandler+<SendAsync>c__async0.MoveNext () [0x002d0] in /Developer/MonoTouch/Source/mono/mcs/class/System.Net.Http/System.Net.Http/HttpClientHandler.cs:338 
--- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000b] in /Developer/MonoTouch/Source/mono/mcs/class/corlib/System.Runtime.ExceptionServices/ExceptionDispatchInfo.cs:62 
  at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1+ConfiguredTaskAwaiter[System.Net.Http.HttpResponseMessage].GetResult () [0x00034] in /Developer/MonoTouch/Source/mono/mcs/class/corlib/System.Runtime.CompilerServices/ConfiguredTaskAwaitable_T.cs:62 
  at System.Net.Http.HttpClient+<SendAsyncWorker>c__async0.MoveNext () [0x000a9] in /Developer/MonoTouch/Source/mono/mcs/class/System.Net.Http/System.Net.Http/HttpClient.cs:273 

Do anyone know how to fix this issue. I have heard is Xamarin are errors with TLS in Mono 2.0. Many thanks

Answer 1

TLS is not yet fully implemented in Mono. That means your HTTPS requests may fail where they would not when running your .NET app on Windows.

Xamarin Deployment

Since you are using Xamarin, you can use ModernHttpClient which is a wrapper around the native iOS / Android networking libraries.

Android, Mac and iOS users can get the latest TLS for HTTP workloads using ModernHttpClient. Mac/iOS users can use the built-in CFNetworkHandler as well.

Linux/Mac Deployment

If you are deploying Mono on Linux/Mac (without Xamarin), you'll need to find a workaround for the lack of TLS support.

There are 2 possible workarounds that come to mind:

Use a Custom TLS Implementation

Try using juhovh/AaltoTLS, which is an implementation of the SSL/TLS network protocol written completely using C# and standard cryptographic libraries of .NET where relevant. It will take care of the TLS decryption/encryption and won't use the built-in lacking Mono implementation.

Implement a TLS Proxy

Build a TLS Proxy that will do the TLS heavy-lifting for you -- you'll configure it as an HTTP proxy for your HTTP requests in Mono, it will receive them, and query the target server via HTTPS, handling the encryption and decryption for the Mono app.

Workflow:

Mono App -> HttpClient sends HTTP request via TLS Proxy -> TLS Proxy converts HTTP request to HTTPS and sends it to target server -> TLS Proxy receives response -> TLS Proxy sends back response to HttpClient in HTTP format

Example code in Node.js for the TLS Proxy workaround using nodejitsu/node-http-proxy:

// Modules
var http = require('http');
var httpProxy = require('http-proxy');

// Proxy server options
var options = {secure: true}; // Validate remote SSL certificates

// Create a proxy server with custom application logic
var proxy = httpProxy.createProxyServer(options);

// Handle errors gracefully
proxy.on('error', function(e) {
    // Log to console
    console.log(e);
});

// Create server and define custom logic
var server = http.createServer(function(req, res) {
    // URL provided?
    if (req.url) { 
        // Convert to HTTPS
        req.url = req.url.replace('http://', 'https://');
    }

    // Get remote host from headers (and force HTTPS)
    var target = 'https://' + req.headers.host;

    // Proxy the request (target is the server to pass the request on to)
    proxy.web(req, res, { target: target });
});

// Proxy port
var port = 8080;

// Start listening for requests from clients
server.listen(port);

// Log the port number
console.log('proxy.port: ' + port);

Answer 2

Found this error at Release build, yet not in Debug build.

For Xamarin + VS, TLS 1.2 can be set in Android Project Properties (right click on your Android Project > Properties on bottom) > Android Options > scroll to bottom, click Advance > bottom, SSL/TLS Implementations. There you found Native TLS 1.2+.