1

Finally .NET 5.0 is released, according to TLS 1.3 support will also be added to .NET beginning with version 5.0 and Microsoft is planning to add TLS 1.3 support to the .NET framework with the arrival of .NET 5.0 tls1.3 works in a .NET 5.0 project.

So i created a test "Console App (.NET Core)" project. enter image description here Then i targeted this project to .net5.0 enter image description here Add test code

using System;
using System.Net.Security;
using System.Net.Sockets;
using System.Security.Authentication;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using System.Threading.Tasks;

namespace TestSsl {
    class Program {
        static void Main(string[] args) {
            object locker = new object();
            SslProtocols protocol = SslProtocols.Tls13;
            Console.WriteLine($"testing SslProtocols.{protocol}");
            int port = 1999;
            RemoteCertificateValidationCallback certificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => {
                return (true);
            };
            X509Certificate2 serverCert = new X509Certificate2("server.pfx", "testpass123");
            X509Certificate2 clientCert = new X509Certificate2("client.pfx", "testpass123");
            TcpListener server = TcpListener.Create(port);
            server.Server.SetSocketOption(SocketOptionLevel.Socket, SocketOptionName.KeepAlive, true);
            server.Server.NoDelay = true;
            server.Server.SetSocketOption(SocketOptionLevel.IPv6, SocketOptionName.IPv6Only, false);
            server.Start();
            Task taskServer = Task.Run(() => {
                TcpClient romoteClient = server.AcceptTcpClient();
                Task.Run(() => {
                    using(romoteClient) {
                        using(SslStream sslStreamRomoteClient = new SslStream(romoteClient.GetStream(), false, certificateValidationCallback)) {
                            try {
                                sslStreamRomoteClient.AuthenticateAsServer(serverCert, true, protocol, true);
                                byte[] buf = new byte[1000];
                                int len = sslStreamRomoteClient.Read(buf, 0, buf.Length);
                                string receive = Encoding.UTF8.GetString(buf, 0, len);
                                Console.WriteLine($"server receive:{receive}");
                                sslStreamRomoteClient.Write(Encoding.UTF8.GetBytes("Ok"));
                                Console.WriteLine($"server send:Ok");
                            } catch(Exception ex) {
                                lock(locker) {
                                    Console.WriteLine("======Server Exception==========================");
                                    Console.WriteLine(ex);
                                }
                            }
                        }
                    }
                }).Wait();
            });
            Task taskClient = Task.Run(() => {
                try {
                    using(TcpClient client = new TcpClient()) {
                        client.Connect("127.0.0.1", port);
                        using(SslStream sslStreamClient = new SslStream(client.GetStream(), false, certificateValidationCallback)) {
                            sslStreamClient.AuthenticateAsClient("127.0.0.1", new X509CertificateCollection() { clientCert }, protocol, true);
                            string send = "hi, i am testing tls";
                            sslStreamClient.Write(Encoding.UTF8.GetBytes(send));
                            Console.WriteLine($"client send:{send}");
                            byte[] buf = new byte[1000];
                            int len = sslStreamClient.Read(buf);
                            string receive = Encoding.UTF8.GetString(buf, 0, len);
                            Console.WriteLine($"client receive:{receive}");
                        }
                    }
                } catch(Exception ex) {
                    lock(locker) {
                        Console.WriteLine("======Client Exception==========================");
                        Console.WriteLine(ex);
                    }
                }
            });
            Task.WaitAll(taskClient, taskServer);
        }
    }
}

The debug result enter image description here

My Vs2019 version enter image description here

According to how to enable TLS 1.3 in windows 10 i already enabled TLS 1.3 in regedit before enter image description here

enter image description here

My windows version

enter image description here

How did i create these pfx certificates

CRTPASS="testpass123"

CRTNAME="server"
SUBJECT="/C=DE/ST=test/L=test/O=test GmbH/OU=test/CN=test[${CRTNAME}]/emailAddress=test@test.de"
rm -f ${CRTNAME}.key ${CRTNAME}.csr ${CRTNAME}.crt ${CRTNAME}.pfx
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -pkeyopt rsa_keygen_pubexp:65537 -aes-256-cbc -des3 -pass pass:${CRTPASS} -out ${CRTNAME}.key
openssl req -new -sha384 -subj "${SUBJECT}" -key ${CRTNAME}.key -out ${CRTNAME}.csr 
openssl x509 -req -days 3650 -signkey ${CRTNAME}.key -in ${CRTNAME}.csr -out ${CRTNAME}.crt
openssl pkcs12 -export -out ${CRTNAME}.pfx -inkey ${CRTNAME}.key -in ${CRTNAME}.crt

openssl x509 -text -in ${CRTNAME}.crt 

CRTNAME="client"
SUBJECT="/C=DE/ST=Westerstede/L=Westerstede/O=test GmbH/OU=test/CN=test[${CRTNAME}]/emailAddress=test@test.de"
rm -f ${CRTNAME}.key ${CRTNAME}.csr ${CRTNAME}.crt ${CRTNAME}.pfx
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -pkeyopt rsa_keygen_pubexp:65537 -aes-256-cbc -des3 -pass pass:${CRTPASS} -out ${CRTNAME}.key
openssl req -new -sha384 -subj "${SUBJECT}" -key ${CRTNAME}.key -out ${CRTNAME}.csr 
openssl x509 -req -days 3650 -signkey ${CRTNAME}.key -in ${CRTNAME}.csr -out ${CRTNAME}.crt
openssl pkcs12 -export -out ${CRTNAME}.pfx -inkey ${CRTNAME}.key -in ${CRTNAME}.crt

openssl x509 -text -in ${CRTNAME}.crt

Before i tested similar codes in a "Console App (.NET Core)" which targeted to ".NET Core 3.1" and it occurred exception "Cannot determine the frame size or a corrupted frame was received"

I would like to know:

1, Does .NET 5.0 already support tls1.3?

2, Is this exception could because my pfx certificates problems?

3, Does windows 10 support tls1.3? if not when will it? i can not find the official plan.

4, How can I use tls1.3 in a UWP project under the current situation?

  • 2
    https://devblogs.microsoft.com/premier-developer/microsoft-tls-1-3-support-reference/ seems to be the best resource to answer your questions. Looks like it's a bit of a work in progress. – ADyson Nov 11 '20 at 09:16
  • 1
    https://github.com/dotnet/docs/issues/4675#issuecomment-678421120 and https://stackoverflow.com/questions/64212994/net-4-8-tls-1-3-issue-on-windows-10 should be on your reading list too, by the looks of it – ADyson Nov 11 '20 at 09:18
  • 3
    TLS is handled by operating System. Browser to connect to a Website using TLS is already working on your machine.If you look at the browser setting you will already see an option to enable/disable TLS 1.3.Net support just means providing the setting for TLS 1.3 but not actually adding the code.Also the encryption mode needs be added to Net so you can create certificates to be used by TLS 1.3.There is a Windows Enumeration for the TLS modes and you can use the integer number with older version of Net. See : https://docs.microsoft.com/en-us/dotnet/api/system.net.securityprotocoltype?view=net-5.0 – jdweng Nov 11 '20 at 09:33
  • 1
    @ADyson the blog and issues you posted say the opposite - TLS1.3 support was added to .NET 5. The rest of the discussion is mainly noise - misconceptions about OS vs Internet settings, looking for OS settings at the wrong place etc – Panagiotis Kanavos Nov 11 '20 at 09:33
  • 1
    @PanagiotisKanavos I see what you're saying. But I suppose my point was that it's only added to .NET 5 if you're using a certain release (RC1 or later), and Windows 10 if you're using a certain version (1903) or above. And OP didn't state which versions of those they're using. The blog is also several months older, so differences are to be expected (and I'd expect a reader to notice that) but it does give a bit of a roadmap, and there doesn't seem to be a better resource out there providing much of a summary. Also I don't see any _direct_ contradictions between the articles really. – ADyson Nov 11 '20 at 09:52
  • 1
    @ADyson `Finally .NET 5.0 is released,`. The error isn't about TLS though. It's not raised when trying to open establish an SSL connection, it's raised when trying to authenticate to the server. Which is the OP's TcpServer class. This is about the OP's code. – Panagiotis Kanavos Nov 11 '20 at 09:54
  • 1
    @PanagiotisKanavos I was addressing the specific questions 1 and 3 raised by the OP rather than the error messages. I appreciate they may not be relevant to the error message specifically, but was just trying to help with general info – ADyson Nov 11 '20 at 10:03
  • Just now i run this program in a Windows 10 insider (OS Build 20231.1000) and it worked well. –  Nov 11 '20 at 13:29

0 Answers0