Rebex .NET components 2016 R3: Elliptic curve cryptography and enhanced certificate validation

  |   Lukas Pokorny

This is a major release - it adds support for various elliptic curve ciphers to Rebex components based both on TLS/SSL and SSH. Due to limited support for elliptic curve algorithms in Windows and .NET Framework, you might need to register a plugin to make this work - depending on the cipher and platform. Check out our KB article on Elliptic Curve Cryptography plugins for details.

Another noticeable feature is the built-in certificate validator that adds support for SHA-2 certificate on legacy .NET Compact Frameworks platforms. It's enabled automatically, which means you will no longer get "Signature algorithm not supported" error when connecting to TLS/SSL-enabled FTP, IMAP, POP3, SMTP EWS or Telnet servers from your Windows Mobile 5.x/6.x applications.

Finally, please note that we have disabled some legacy ciphers in TLS/SSL and SSH that no one should really be using any more in 2017. For example, the still-widely-used diffie-hellman-group1-sha1 SSH key exchange algorithm is extremely weak and makes the encrypted communication virtually transparent to state-level adversaries (and possibly to anyone else soon).

More information about enhancements in 2016 R3:

Elliptic curve cryptography in TLS/SSL

All Rebex components utilizing our TLS/SSL library now support the following TLS ciphers based on Elliptic Curve Diffie-Hellman (ECDH) algorithm:


Supported curves:

  • NIST P-256
  • NIST P-384
  • NIST P-521
  • Brainpool P256 R1
  • Brainpool P384 R1
  • Brainpool P512 R1
  • Curve 25519

Please note that external plugins might be needed for some of those algorithms or curves on some platforms.

Elliptic curve cryptography in SSH

All Rebex components utilizing our SSH library now support SSH key exchange algorithms based on Elliptic Curve Diffie-Hellman (ECDH) algorithm and SSH host key algorithms based on Elliptic Curve DSA (ECDSA) and Edwards-curve DSA (EdDSA) algorithms:

  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
  • ecdsa-sha2-nistp256
  • ecdsa-sha2-nistp384
  • ecdsa-sha2-nistp521
  • ssh-ed25519

Please note that external plugins might be needed for some of those algorithms or curves on some platforms.

Enhanced SHA-2 certificate validation on all .NET Compact Framework platforms

We still support .NET Compact Framework 2.0, 3.5 and 3.9 and Windows CE 5.0 and higher. Unfortunately, legacy versions of Windows CE won't get native support for X509 certificates signed using SHA-2 algorithms, which essentially makes the native certifiacte validator useless - it only supports SHA-1, which is getting deprecated.

As a workaround to this platform limitation, we introduce a new built-in certificate validator. It handles SHA-2 and is used by default on .NET Compact Framework platforms that lack native SHA-2 support.

Proper certificate validation on Universal Windows Platform

Support for Universal Windows Platform is still experimental, but it just got much better. We now support the platform's native certificate validation provided by Windows.Security.Cryptography.Certificates namespace. There is now no need to implement custom validators in your Windows 10 Store applications.

New OpenSSH key format support

SshPrivateKey and PrivateKeyInfo objects can read server and client keys utilizing the new OpenSSH key format (Base64-encoded keys with "BEGIN OPENSSH PRIVATE KEY" header). This format is usually used to store ED25519 or ECDSA keys.

Remote checksum calculation

Ftp, Sftp and FileTransferClient objects now feature GetChecksum methods, making it possible to retrieve a checksum or hash of a remote file (or part of it). Together with the new LocalItem.GetChecksum method, this makes it easily possible to reliably detect changed files.

Please note that this functionality is not supported by all servers (for SFTP, "file-check" extension support is required). Ftp.GetRemoteChecksum methods are now considered deprecated.

Optimized memory usage of MailMessage/MimeMessage objects

We have refactored the internals of our mail objects to make them consume less memory. Working with large messages is much more efficient now.

OAUTH authentication in EWS

The Ews object now supports OAUTH 2.0 authentication with Microsoft's Office365 and servers.

Mailbox synchronization in EWS

Keeping a local cache of folders and items in sync with the server is now very simple using GetUpdatedItems and GetUpdatedFolders methods.

Fine-tuning enabled ciphers in SSH

Previously, SshParameters only made it possible to enable/disable groups of ciphers. Now, it's possible to fine-tune the list of supported algorithms, including their preferred order (client-side only) using SetKeyExchangeAlgorithms, SetHostKeyAlgorithms, SetEncryptionAlgorithms and SetMacAlgorithms methods. Please note that KeyExchangeAlgorithms, HostKeyAlgorithms, EncryptionAlgorithms and MacAlgorithms properties still apply - a cipher is only used when it is enabled by both the method and property.

Disabled weak legacy ciphers in TLS/SSL

All legacy EXPORT1024_* ciphers are now prohibited by default in addition to already-prohibited EXPORT_* ciphers. SslAllowVulnerableSuites option can be used to enable them, but this is strongly discouraged.

Disabled weak algorithms in SSH

Several legacy ciphers are now disabled by default: diffie-hellman-group1-sha1, blowfish-ctr, blowfish-cbc, arcfour256, arcfour128, arcfour. Use SshParameters.KeyExchangeAlgorithms and SshParameters.EncryptionAlgorithms to enable them.

Weak RSA server host keys shorter than 1024 bits are now rejected by default. Use SshParameters.MinimumRsaKeySize property to specify a custom key size.

And more...

For a complete list of changes in 2016 R3, see the release history.