Recommended for .Net?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Recommended for .Net?

Edward Ned Harvey (openssl)

At work, we develop software in .NET, currently using the built-in SslStream class, and I'm considering abandoning it.

 

Is Openssl recommended for SSL/TLS communications in .NET?  And if so, should I just download the win binaries from  http://slproweb.com/products/Win32OpenSSL.html ?

 

I'm interested in a redistributable library package.  Not looking for openssl command line utility.

Reply | Threaded
Open this post in threaded view
|

Re: Recommended for .Net?

Kyle Hamilton
I do not recommend OpenSSL for .NET, because it is written in C and
does not have a prewritten P/Invoke wrapper assembly.

There exist native .NET assemblies that do not require P/Invoke; one
that I like is the BouncyCastle C# API (written for .NET 2.0, but
compilable on .NET 2.0 and later).  It is available at
http://www.bouncycastle.org/csharp/ .  Because it runs on the Common
Language Runtime, though, it does not require C# for its client code.

As much as I dislike recommending people away from OpenSSL on the
OpenSSL lists, I must acknowledge that OpenSSL is not a good option
for the CLR (which is implemented by .NET, as well as Mono).  It would
be appropriate for transitioning an existing codebase from C++ to
Managed C++, but not much more than that.

If you need a FIPS-certified* library, it would make sense to use
OpenSSL and invest the time and effort to create the P/Invoke wrapper,
because BouncyCastle C# does not carry a FIPS certificate.

-Kyle H

*: Steve Marquess, before you say "it's not a certification, it's a
validation," please consider this.  Most of your (and the OpenSSL
team's) effort goes into proving that it can be validated by the CMVP,
so your focus is always on the validation.  But, the ultimate
procurement requirement is for a module with a certificate issued by
NIST, and even a validated and certified module may have its
certificate revoked.  The NIST certificate for modules which have
passed FIPS 140-2 validation thus functions as and is
indistinguishable from a FIPS certification, so I use "FIPS-certified"
as the appropriate adjective.

On Mon, Apr 21, 2014 at 10:54 AM, Edward Ned Harvey (openssl)
<[hidden email]> wrote:

> At work, we develop software in .NET, currently using the built-in SslStream
> class, and I'm considering abandoning it.
>
>
>
> Is Openssl recommended for SSL/TLS communications in .NET?  And if so,
> should I just download the win binaries from
> http://slproweb.com/products/Win32OpenSSL.html ?
>
>
>
> I'm interested in a redistributable library package.  Not looking for
> openssl command line utility.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]