The official Xamarin documentation for App Transport Layer Security (iOS, Android) states that the managed HttpClient implementation does only support TLS 1.0. It strongly recommends updating Xamarin Apps to native HttpClient implementations to support TLS 1.2. Visual Studio states this as well:
However, the documentation is contradictory. When describing the managed HttpClient implementation, it states something like:
It is not fully integrated with the OS (eg. limited to TLS 1.0).
The documentation later has contradicting statements like:
Beginning with Xamarin.Android 8.3, HttpClientHandler defaults to Boring SSL ... It supports TLS 1.2+.
Furthermore, this very helpful Xamarin blog post states that TLS 1.2 is indeed possible with the managed HttpClient implementation by choosing the SSL/TLS option "native TLS 1.2" (which is the default on iOS and cannot be changed on iOS).
Last, but not least, I tested the HttpClient of the current stable Xamarin version1 against https://www.nist.gov, which only supports TLS 1.2. I verified that the server only accepts TLS 1.2 with:
openssl s_client -connect nist.gov:443 -no_tls1_2
If the managed HttpClient implementation really does only support TLS 1.0, I would expect that the following connection fails:
var client = new HttpClient();
var result = await client.GetStringAsync("https://www.nist.gov");
However, the connection succeeds with the following settings:
- iOS: HttpClient implementation Managed
- Android: HttpClient implementation Managed (HttpClientHandler) or Default, and SSL/TLS implementation Native TLS 1.2.
This leads me to the following questions:
- Is the Xamarin documentation outdated when stating that the managed HttpClient implementation does only support TLS 1.0?
- Is my test against the https://www.nist.gov valid? Does it indeed show that the managed HttpClient implementation supports TLS 1.2? Or am I missing something?
1 Visual Studio 7.5.2 (build 40), Xamarin.iOS 11.12.0.4, Xamarin.Android 8.3.3.2
