分享程序员开发的那些事...
更新时间:2022-10-16 22:16:30
如果您使用本机"处理程序(Android 或 iOS),它将使用本机 API 来实现 HttpClientHandler 功能,因此平台依赖"取决于是否支持 TLS1.2,即 Android 5/API-21 本身不支持 TLS1.2,大多数 Android 开发人员使用第 3 方库...
当您启用本机 SSL/TLS"时,它使用的是 Google 的 BoringSSL(现在包含在您的应用程序包中)而不是不是本机平台 API.因此,即使使用托管"HttpClientHandler 也支持 TLS1.2.此选项允许.Net framework/Mono"在 iOS & 上支持最新的 SSL/TLS.Android,例如 .Net Sockets、WebClient 等.当然还有 HttpClient.
Android 处理程序/托管 SSL:也不例外托管处理程序/本机 SSL/TLS:也不例外Android 处理程序/本机 SSL/TLS:也不例外托管处理程序/托管 SSL:错误:SecureChannelFailureSecureChannelFailure:
MonoDroid] 未处理的异常:[MonoDroid] System.Net.Http.HttpRequestException: 发送请求时出错--->System.Net.WebException:错误:SecureChannelFailure(身份验证或解密失败.)--->System.IO.IOException: 身份验证或解密失败.--->System.IO.IOException: 发送 TLS 警报时出错 (Fatal:InternalError): System.IO.IOException: 身份验证或解密失败.--->System.IO.IOException:无法从传输连接读取数据:连接被对等端重置.--->System.Net.Sockets.SocketException:连接由对等方重置The official Xamarin documentation for App Transport Layer Security (iOS, Android) states that the managed HttpClient implementation does only support TLS 1.0. It strongly recommends updating Xamarin Apps to native HttpClient implementations to support TLS 1.2. Visual Studio states this as well:
However, the documentation is contradictory. When describing the managed HttpClient implementation, it states something like:
It is not fully integrated with the OS (eg. limited to TLS 1.0).
The documentation later has contradicting statements like:
Beginning with Xamarin.Android 8.3, HttpClientHandler defaults to Boring SSL ... It supports TLS 1.2+.
Furthermore, this very helpful Xamarin blog post states that TLS 1.2 is indeed possible with the managed HttpClient implementation by choosing the SSL/TLS option "native TLS 1.2" (which is the default on iOS and cannot be changed on iOS).
Last, but not least, I tested the HttpClient of the current stable Xamarin version1 against https://www.nist.gov, which only supports TLS 1.2. I verified that the server only accepts TLS 1.2 with:
openssl s_client -connect nist.gov:443 -no_tls1_2
If the managed HttpClient implementation really does only support TLS 1.0, I would expect that the following connection fails:
var client = new HttpClient();
var result = await client.GetStringAsync("https://www.nist.gov");
However, the connection succeeds with the following settings:
This leads me to the following questions:
1 Visual Studio 7.5.2 (build 40), Xamarin.iOS 11.12.0.4, Xamarin.Android 8.3.3.2
If you use the "native" handler (Android or iOS) it is using the native APIs to implement the HttpClientHandler features and thus is "platform dependent" upon whether or not TLS1.2 would be supported, i.e. Android 5/API-21 does not natively support TLS1.2, most Android developers use a 3rd-party lib...
When you enabled "native SSL/TLS" is it using Google's BoringSSL (that is now included into your app bundle) and not the native platform APIs. Thus TLS1.2 is supported even with the "Managed" HttpClientHandler. This option allows the ".Net framework/Mono" to support the latest SSL/TLS on iOS & Android, such as .Net Sockets, WebClient, etc.. and of course HttpClient.
Android Handler / Managed SSL : No exception
Managed Handler / Native SSL/TLS : No exception
Android Handler / Native SSL/TLS : No exception
Managed Handler / Managed SSL : Error: SecureChannelFailure
SecureChannelFailure:
MonoDroid] UNHANDLED EXCEPTION:
[MonoDroid] System.Net.Http.HttpRequestException: An error occurred while sending the request ---> System.Net.WebException: Error: SecureChannelFailure (The authentication or decryption has failed.) --->
System.IO.IOException: The authentication or decryption has failed. --->
System.IO.IOException: Error while sending TLS Alert (Fatal:InternalError): System.IO.IOException: The authentication or decryption has failed. --->
System.IO.IOException: Unable to read data from the transport connection: Connection reset by peer. --->
System.Net.Sockets.SocketException: Connection reset by peer