Ask a Question

Websocket connection : SSLAceptsAllCertificates = false fails in .NET 9 MAUI but works in Xamarin / .NET 8

+1 vote
by (300 points)

We are encountering an SSL/TLS handshake issue with a secure WebSocket (WSS) connection after migrating our app to .NET 9 MAUI (iOS).

Observed behavior:
In Xamarin and .NET 8, setting SSLAcceptsAllCertificates = false works correctly for the WebSocket connection.
In .NET 9 MAUI, the WebSocket connection fails when SSLAcceptsAllCertificates = false.
The same WebSocket connection works when SSLAcceptsAllCertificates = true.

Is there a reason that the issue may be related to:

  • Stricter SSL/TLS validation or security changes introduced in .NET 9, specifically affecting WSS,or
  • TLS / certificate compatibility issues

Rebex log file:

026-01-31 18:00:07.571 Opening log file.
2026-01-31 18:00:07.572 INFO FileLogWriter(1)[1] Info: Assembly: Rebex.Common 7.0.8720 for .NET 8.0
2026-01-31 18:00:07.574 INFO FileLogWriter(1)[1] Info: Platform: iOS (Darwin 24.5.0 Darwin Kernel Version 24.5.0: Tue Apr 22 19:48:46 PDT 2025; root:xnu-11417.121.6~2/RELEASEARM64T8103) 64-bit; CLR: .NET 9.0.9
2026-01-31 18:00:28.476 INFO WebSocketClient(2)[1] WebSocket: Connecting to 'wss://xxx.xxx.0.1:port/maintenance'...
2026-01-31 18:00:28.476 INFO WebSocketClient(2)[1] Info: Assembly: Rebex.WebSocket 7.0.8720 for .NET 8.0
2026-01-31 18:00:28.476 INFO WebSocketClient(2)[1] Info: Platform: iOS (Darwin 24.5.0 Darwin Kernel Version 24.5.0: Tue Apr 22 19:48:46 PDT 2025; root:xnu-11417.121.6~2/RELEASEARM64T8103) 64-bit; CLR: .NET 9.0.9
2026-01-31 18:00:28.484 INFO WebSocketClient(2)[16] HTTP: Connecting to 'https://xxx.xxx.0.1:port'...
2026-01-31 18:00:28.713 INFO WebSocketClient(2)[16] TLS: Fatal Alert:HandshakeFailure was received.
2026-01-31 18:00:28.736 ERROR WebSocketClient(2)[16] HTTP: Error while sending request: Rebex.Net.TlsException: Fatal error 'HandshakeFailure' has been reported by the remote connection end.
---> Rebex.Net.TlsException: Fatal error 'HandshakeFailure' has been reported by the remote connection end.
at xoaqd.tfdcv.afkck(Byte[] p0, Int32 p1, Int32 p2)
at xoaqd.gkalo.bafky(Byte[] p0, Int32 p1, Int32 p2)
at xoaqd.gkalo.sbpqr()
--- End of inner exception stack trace ---
at xoaqd.gkalo.sbpqr()
at xoaqd.gkalo.iblqr()
at xoaqd.kkpkm.tfmmk()
at xoaqd.kkpkm.yeisg()
at Rebex.Net.TlsSocket.srugk()
at Rebex.Net.TlsSocket.Negotiate()
at xoaqd.uyyjp.pyfbt(ISocket p0, TlsCipher& p1)
at xoaqd.uyyjp.dxnpe()
at xoaqd.krjti.rzopz()
at xoaqd.krjti.nthub(Boolean p0)
at xoaqd.krjti.bdzva()

Could you please help clarify:

  • Whether this behavior change is expected for secure WebSocket (WSS) connections in .NET 9 MAUI?
  • What the recommended approach is to make SSL validation work correctly for WebSockets without disabling certificate checks?

Thank you for your support.

Applies to: Rebex WebSocket

1 Answer

+1 vote
by (151k points)
selected by
 
Best answer

First of all, please be aware that v7.0.8720 of Rebex WebSocket library does not support .NET 9 or .NET 10, and is not actually expected to work on these platforms. It has been published before these platforms existed, has never been tested on them. If it works at all, compatibility issues are to be expected, particularly on mobile platforms, which has seen lot of updates in .NET 9 and .NET 10, some of which we had to address in subsequent releases of Rebex WebSocket.

As for the "Fatal error 'HandshakeFailure' has been reported by the remote connection end" error - it's not even clear yet whether this is related to certificate validation at all. A log created at LogLevel.Debug might shed some light onto this. However, it would really be useful to try using a more recent version of Rebex WebSocket library that actually supports .NET 9 and has been tested on it.

by (300 points)
Hi Lukas,
Thank you for your response and suggestion. We are currently working on upgrading our library as recommended.
However, we would also like to further investigate this issue to ensure it is not occurring due to certificate validation. We are assuming it may be related to validation, as the connection works properly when the property SSLAcceptsAllCertificates is set to true.
I have attached the Rebex log with Debug-level information for your reference.


2026-02-12 12:17:06.558 Opening log file.
2026-02-12 12:17:06.559 INFO FileLogWriter(1)[1] Info: Assembly: Rebex.Common 7.0.8720 for .NET 8.0
2026-02-12 12:17:06.565 INFO FileLogWriter(1)[1] Info: Platform: iOS (Darwin 25.2.0 Darwin Kernel Version 25.2.0: Fri Jan  9 18:27:38 PST 2026; root:xnu-12377.62.10~267/RELEASE_ARM64_T8103) 64-bit ARM; CLR: .NET 9.0.9
2026-02-12 12:17:06.566 DEBUG FileLogWriter(1)[1] Info: Culture: en; windows-1252
2026-02-12 12:17:12.956 INFO WebSocketClient(2)[1] WebSocket: Connecting to 'wss://xxx.xxx.0.1:xxxx/maintenance'...
2026-02-12 12:17:12.956 INFO WebSocketClient(2)[1] Info: Assembly: Rebex.WebSocket 7.0.8720 for .NET 8.0
2026-02-12 12:17:12.956 INFO WebSocketClient(2)[1] Info: Platform: iOS (Darwin 25.2.0 Darwin Kernel Version 25.2.0: Fri Jan  9 18:27:38 PST 2026; root:xnu-12377.62.10~267/RELEASE_ARM64_T8103) 64-bit ARM; CLR: .NET 9.0.9
2026-02-12 12:17:12.956 DEBUG WebSocketClient(2)[1] Info: Culture: en; windows-1252
2026-02-12 12:17:12.960 INFO WebSocketClient(2)[4] HTTP: Connecting to 'https://xxx.xxx.0.1:xxxx'...
2026-02-12 12:17:12.963 DEBUG WebSocketClient(2)[4] Proxy: Connecting to xxx.xxx.0.1:xxxx (no proxy).
2026-02-12 12:17:12.975 DEBUG WebSocketClient(2)[4] Proxy: Connection established.
2026-02-12 12:17:13.012 DEBUG WebSocketClient(2)[4] TLS: Using classic TLS core.
2026-02-12 12:17:13.013 DEBUG WebSocketClient(2)[4] TLS: Enabled cipher suites: 0x0C1F3CC32B000000.
2026-02-12 12:17:13.013 DEBUG WebSocketClient(2)[4] TLS: Applicable cipher suites: 0x0C1F3CC32B000000.
2026-02-12 12:17:13.040 DEBUG WebSocketClient(2)[4] TLS: HandshakeMessage:ClientHello was sent.
2026-02-12 12:17:13.064 DEBUG WebSocketClient(2)[4] TLS: HandshakeMessage:ServerHello was received.
2026-02-12 12:17:13.065 INFO WebSocketClient(2)[4] TLS: Negotiating TLS 1.2, ECDSA with ephemeral ECDH, AES with 256-bit key in GCM mode, AEAD.
2026-02-12 12:17:13.065 DEBUG WebSocketClient(2)[4] TLS: The server supports secure renegotiation.
2026-02-12 12:17:13.065 DEBUG WebSocketClient(2)[4] TLS: Extended master secret is enabled.
2026-02-12 12:17:13.065 DEBUG WebSocketClient(2)[4] TLS: HandshakeMessage:Certificate was received.
2026-02-12 12:17:13.068 DEBUG WebSocketClient(2)[4] TLS: HandshakeMessage:ServerKeyExchange was received.
2026-02-12 12:17:13.068 DEBUG WebSocketClient(2)[4] TLS: HandshakeMessage:CertificateRequest was received.
2026-02-12 12:17:13.068 DEBUG WebSocketClient(2)[4] TLS: HandshakeMessage:ServerHelloDone was received.
2026-02-12 12:17:13.069 DEBUG WebSocketClient(2)[4] TLS: Verifying server certificate ('Description=1.3.6.1.4.1.20219.3.2.1.2, CN=80012968120000440335000120633').
by (151k points)
Version 7.0.8720 of Rebex WebSocket library is not actually supposed to work on .NET 9 or .NET 10 at all. Please try an up-to-date version instead!

Based on the described behavior, I agree this has something to do with certificate validation. However, even the second log posted above is still incomplete - it shows "Verifying server certificate", but then more lines should follow, detailing the result of that operation, which would hopefully make it possible to tell what is going on. But that part of the log is missing. Are you sure the log indeed ends with that line?

Additionally, how does the issue actually manifest in your application?
Does the WebSocketClient method throw an exception?
If it does, what does the exception message say?

But really, try this with version 7.0.9448. The old version 7.0.8720 predates both .NET 9 and 10, and is not actually supported on these platforms, even if it did work due to pure luck.
by (300 points)
No, websocketClient is not throwing any exception. However, I can share the server logs here, they show TLS handshake timeouts, but I am not able to see any logs beyond that point.

/var/bsh/crypto/client/keys/tls_client_server/cur_12.123.601.1.4.1.201219.39.2.21.21.key
[01:07:05.589][D][abc-com][10000000] [CCrypto.cpp:23] Reading file [/var/bsh/crypto/client/keys/tls_client_server/cur_12.123.601.1.4.1.201219.39.2.21.21.key].
[01:07:05.590][D][abc-com][10000000] [CCrypto.cpp:31] File [/var/bsh/crypto/client/keys/tls_client_server/cur_1.3.6.1.4.1.20219.3.2.1.2.key] successful read.
[01:07:05.592][D][abc-com][10000000] [CPublicPrivateKey.cpp:99] Check for PKCS#8 header.
[01:07:05.593][D][abc-com][10000000] [CPublicPrivateKey.cpp:103] Found beginning [14] of traditional key inside PKCS#8 data.
[01:07:05.595][D][abc-com][10000000] [CPublicPrivateKey.cpp:111] Try to decode the private key.
[01:07:05.597][D][abc-com][10000000] [CPublicPrivateKey.cpp:134] Ed25519 key found and decoded.
[01:07:15] [error] handle_transport_init received error: TLS handshake timed out
[01:07:15] [fail] WebSocket Connection [::ffff:xxx.xxx.x.x]:50612 - "" - 0 websocketpp.transport.asio.socket:5 TLS handshake timed out
[01:07:15.546][E][abc-com][10000000] [CServerBase.hpp:300] WebSocket failure: TLS handshake timed out websocketpp.transport.asio.socket:5

Moreover, we will also try with the new version, as you suggested.
Thanks,
by (151k points)
Would it be possible to try this using the latest "release candidate 3" version of Rebex WebSocket? It's available at NuGet.org: https://www.nuget.org/packages/Rebex.WebSocket/8.0.9531-rc.3
...