On T194380 we discovered several bots/tools running on toolforge using .NET / mono that aren't able to talk modern TLS and that would be unable to connect to WMF sites after the deprecation of AES128-SHA is done as part of T192555.
I've tested the TLS capabilities of the mono environment using a pretty simple bot that just logins into wikipedia and exits:
using System; using DotNetWikiBot; class MyHelloBot : Bot { public static void Main() { Site site = new Site("https://en.wikipedia.org", "VGutiérrez (WMF)@vgutierrez-test-bot", "password"); } }
This code run on a trusty container with mono-project latest stable mono version (5.12) and a stock DotNetWikiBot 3.15 it's able to connect to en.wikipedia.org using TLS 1.2 and ECDHE-ECDSA-CHACHA20-POLY1305 as the ciphersuite.
FROM ubuntu:trusty RUN apt-get update && apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF && \ apt-get install -y apt-transport-https && \ echo "deb https://download.mono-project.com/repo/ubuntu stable-trusty main" | tee /etc/apt/sources.list.d/mono-official-stable.list && \ apt-get update && apt-get install -y mono-devel WORKDIR /app COPY . . RUN mono-csc -debug+ -optimize- -reference:DotNetWikiBot.Build.for.Mono.dll hello.cs CMD mono --debug hello.exe
So it would be great if we could provide an up-to-date mono environment on toolforge that's able to speak modern TLS and comply with our own TLS requirements :)