Why HTTPS fails on mono?

Https communication is a complex procedure. At the time of writing (02/12/2016), mono does not support the all algorithms used in HTTPS transfers that exist. Luckily most server have multiple algorithms they support. So when mono (WG++ on linux) had to deal with such a server, it could use an algorithm that he had available. But the last year we see more and more server use algorithms (TLS1.2) that are not supported in mono.

On windows WG++ doesn't have this issue, because it uses a windows TLS stack, that supports TLS1.2.

UPDATE: (22/02/2017) As of Mono 4.8.0 we can see that a TLS1.2 stack has been introduced. And first tests point out that now it is possible to use a mono only solution.

Current steps to make thinks work:

1. make sure you have >= Mono 4.8.0

2. export MONO_TLS_PROVIDER=btls

3. Download and import trusted root certificates from Mozilla's LXR into Mono's certificate store

mozroots --import --sync

4. Normally step 3. should be replaced with

cert-sync /etc/ssl/certs/ca-certificates.crt

But on our test setup, this failed.

5. Convert from the old Mono certificate store into the new one

btls-cert-sync

The above steps should only be done once. So not on every run of WG++.

Previous, before the TLS1.2 support in Mono, a user (Blackbear199) had come up with a workaround (php based). (See here for an example)