| __`SYSLIB0035`__ | ComputeCounterSignature without specifying a CmsSigner is obsolete and is not supported. Use the overload that accepts a CmsSigner. |
| __`SYSLIB0036`__ | Regex.CompileToAssembly is obsolete and not supported. Use RegexGeneratorAttribute with the regular expression source generator instead. |
| __`SYSLIB0037`__ | AssemblyName members HashAlgorithm, ProcessorArchitecture, and VersionCompatibility are obsolete and not supported. |
+| __`SYSLIB0038`__ | SerializationFormat.Binary is obsolete and should not be used. See https://aka.ms/serializationformat-binary-obsolete for more information. |
+| __`SYSLIB0039`__ | TLS versions 1.0 and 1.1 have known vulnerabilities and are not recommended. Use a newer TLS version instead, or use SslProtocols.None to defer to OS defaults. |
## Analyzer Warnings
// we are using default settings but cipher suites policy says that TLS 1.3
// is not compatible with our settings (i.e. we requested no encryption or disabled
// all TLS 1.3 cipher suites)
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
protocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
+#pragma warning restore SYSLIB0039
}
else
{
#if !NETSTANDARD2_0 && !NETSTANDARD2_1 && !NETFRAMEWORK
SslProtocols.Tls13 |
#endif
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
+#pragma warning restore SYSLIB0039
public const SslProtocols SystemDefaultSecurityProtocols = SslProtocols.None;
}
internal const string SystemDataSerializationFormatBinaryMessage = "SerializationFormat.Binary is obsolete and should not be used. See https://aka.ms/serializationformat-binary-obsolete for more information.";
internal const string SystemDataSerializationFormatBinaryDiagId = "SYSLIB0038";
+
+ internal const string TlsVersion10and11Message = "TLS versions 1.0 and 1.1 have known vulnerabilities and are not recommended. Use a newer TLS version instead, or use SslProtocols.None to defer to OS defaults.";
+ internal const string TlsVersion10and11DiagId = "SYSLIB0039";
}
}
[Theory]
[InlineData(SslProtocols.Tls12, false)] // try various protocols to ensure we correctly set versions even when accepting all certs
[InlineData(SslProtocols.Tls12, true)]
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
[InlineData(SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, false)]
[InlineData(SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, true)]
#if !NETFRAMEWORK
[InlineData(SslProtocols.Tls13 | SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, false)]
[InlineData(SslProtocols.Tls13 | SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, true)]
#endif
+#pragma warning restore SYSLIB0039
[InlineData(SslProtocols.None, false)]
[InlineData(SslProtocols.None, true)]
public async Task SetDelegate_ConnectionSucceeds(SslProtocols acceptedProtocol, bool requestOnlyThisProtocol)
{
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
// Overriding flag for the same reason we skip tests on Catalina
// On OSX 10.13-10.14 we can override this flag to enable the scenario
requestOnlyThisProtocol |= PlatformDetection.IsOSX && acceptedProtocol == SslProtocols.Tls;
+#pragma warning restore SYSLIB0039
using (HttpClientHandler handler = CreateHttpClientHandler())
using (HttpClient client = CreateHttpClient(handler))
// restrictions on minimum TLS/SSL version
// We currently know that some platforms like Debian 10 OpenSSL
// will by default block < TLS 1.2
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
#if !NETFRAMEWORK
handler.SslProtocols = SslProtocols.Tls13 | SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;
#else
handler.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;
#endif
+#pragma warning restore SYSLIB0039
}
var options = new LoopbackServer.Options { UseSsl = true, SslProtocols = acceptedProtocol };
[Theory]
[InlineData(SslProtocols.None)]
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
[InlineData(SslProtocols.Tls)]
[InlineData(SslProtocols.Tls11)]
[InlineData(SslProtocols.Tls12)]
[InlineData(SslProtocols.Tls | SslProtocols.Tls13)]
[InlineData(SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12 | SslProtocols.Tls13)]
#endif
+#pragma warning restore SYSLIB0039
public void SetGetProtocols_Roundtrips(SslProtocols protocols)
{
using (HttpClientHandler handler = CreateHttpClientHandler())
// We currently know that some platforms like Debian 10 OpenSSL
// will by default block < TLS 1.2
#pragma warning disable 0618 // SSL2/3 are deprecated
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
#if !NETFRAMEWORK
handler.SslProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12 | SslProtocols.Tls13;
#else
handler.SslProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12 | (SslProtocols)12288;
#endif
#pragma warning restore 0618
+#pragma warning restore SYSLIB0039
}
// Use a different SNI for each connection to prevent TLS 1.3 renegotiation issue: https://github.com/dotnet/runtime/issues/47378
yield return new object[] { SslProtocols.Ssl3, Configuration.Http.SSLv3RemoteServer };
}
#pragma warning restore 0618
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
if (PlatformDetection.SupportsTls10)
{
yield return new object[] { SslProtocols.Tls, Configuration.Http.TLSv10RemoteServer };
{
yield return new object[] { SslProtocols.Tls11, Configuration.Http.TLSv11RemoteServer };
}
+#pragma warning restore SYSLIB0039
if (PlatformDetection.SupportsTls12)
{
[InlineData(SslProtocols.Ssl2, SslProtocols.Tls12)]
[InlineData(SslProtocols.Ssl3, SslProtocols.Tls12)]
#pragma warning restore 0618
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
[InlineData(SslProtocols.Tls11, SslProtocols.Tls)]
[InlineData(SslProtocols.Tls11 | SslProtocols.Tls12, SslProtocols.Tls)] // Skip this on WinHttpHandler.
[InlineData(SslProtocols.Tls12, SslProtocols.Tls11)]
[InlineData(SslProtocols.Tls, SslProtocols.Tls12)]
+#pragma warning restore SYSLIB0039
public async Task GetAsync_AllowedClientSslVersionDiffersFromServer_ThrowsException(
SslProtocols allowedClientProtocols, SslProtocols acceptedServerProtocols)
{
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
if (IsWinHttpHandler &&
allowedClientProtocols == (SslProtocols.Tls11 | SslProtocols.Tls12) &&
acceptedServerProtocols == SslProtocols.Tls)
+#pragma warning restore SYSLIB0039
{
// Native WinHTTP sometimes uses multiple TCP connections to try other TLS protocols when
// getting TLS protocol failures as part of its TLS fallback algorithm. The loopback server
#if !NETSTANDARD2_0 && !NETFRAMEWORK
SslProtocols.Tls13 |
#endif
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
+#pragma warning restore SYSLIB0039
}
}
#if !NETSTANDARD2_0
SslProtocols.Tls13 |
#endif
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;
public const SslProtocols NonTls13Protocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
+#pragma warning restore SYSLIB0039
public static SslProtocols SupportedSslProtocols
{
supported |= SslProtocols.Ssl3;
}
#pragma warning restore 0618
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
if (PlatformDetection.SupportsTls10)
{
supported |= SslProtocols.Tls;
{
supported |= SslProtocols.Tls11;
}
+#pragma warning restore SYSLIB0039
if (PlatformDetection.SupportsTls12)
{
}
#pragma warning restore 0618
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
if ((sslProtocols & SslProtocols.Tls) != 0)
{
optionData |= Interop.WinHttp.WINHTTP_FLAG_SECURE_PROTOCOL_TLS1;
{
optionData |= Interop.WinHttp.WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1;
}
+#pragma warning restore SYSLIB0039
if ((sslProtocols & SslProtocols.Tls12) != 0)
{
[Theory]
[InlineData(
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12,
+#pragma warning restore SYSLIB0039
Interop.WinHttp.WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 |
Interop.WinHttp.WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 |
Interop.WinHttp.WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2)]
Ssl2 = 12,
[System.ObsoleteAttribute("SslProtocols.Ssl3 has been deprecated and is not supported.")]
Ssl3 = 48,
+ [System.ObsoleteAttribute("TLS versions 1.0 and 1.1 have known vulnerabilities and are not recommended. Use a newer TLS version instead, or use SslProtocols.None to defer to OS defaults.", DiagnosticId = "SYSLIB0039", UrlFormat = "https://aka.ms/dotnet-warnings/{0}")]
Tls = 192,
[System.ObsoleteAttribute("SslProtocols.Default has been deprecated and is not supported.")]
Default = 240,
+ [System.ObsoleteAttribute("TLS versions 1.0 and 1.1 have known vulnerabilities and are not recommended. Use a newer TLS version instead, or use SslProtocols.None to defer to OS defaults.", DiagnosticId = "SYSLIB0039", UrlFormat = "https://aka.ms/dotnet-warnings/{0}")]
Tls11 = 768,
Tls12 = 3072,
Tls13 = 12288,
{
public abstract partial class ChannelBinding : Microsoft.Win32.SafeHandles.SafeHandleZeroOrMinusOneIsInvalid
{
- protected ChannelBinding() : base (default(bool)) { }
- protected ChannelBinding(bool ownsHandle) : base (default(bool)) { }
+ protected ChannelBinding() : base(default(bool)) { }
+ protected ChannelBinding(bool ownsHandle) : base(default(bool)) { }
public abstract int Size { get; }
}
public enum ChannelBindingKind
Link="Common\Interop\Windows\SChannel\Interop.SchProtocols.cs" />
<Compile Include="$(CommonPath)Interop\Windows\WinSock\Interop.ErrorCodes.cs"
Link="Common\Interop\Windows\WinSock\Interop.ErrorCodes.cs" />
+ <!-- Common -->
+ <Compile Include="$(CommonPath)System\Obsoletions.cs"
+ Link="Common\System\Obsoletions.cs" />
</ItemGroup>
<ItemGroup Condition="'$(TargetPlatformIdentifier)' == 'windows'">
<Compile Include="System\Net\SocketException.Windows.cs" />
public enum SslProtocols
{
None = 0,
+ [System.ObsoleteAttribute("SslProtocols.Ssl2 has been deprecated and is not supported.")]
Ssl2 = Interop.SChannel.SP_PROT_SSL2,
+ [System.ObsoleteAttribute("SslProtocols.Ssl3 has been deprecated and is not supported.")]
Ssl3 = Interop.SChannel.SP_PROT_SSL3,
+ [System.ObsoleteAttribute(Obsoletions.TlsVersion10and11Message, DiagnosticId = Obsoletions.TlsVersion10and11DiagId, UrlFormat = Obsoletions.SharedUrlFormat)]
Tls = Interop.SChannel.SP_PROT_TLS1_0,
+ [System.ObsoleteAttribute(Obsoletions.TlsVersion10and11Message, DiagnosticId = Obsoletions.TlsVersion10and11DiagId, UrlFormat = Obsoletions.SharedUrlFormat)]
Tls11 = Interop.SChannel.SP_PROT_TLS1_1,
Tls12 = Interop.SChannel.SP_PROT_TLS1_2,
Tls13 = Interop.SChannel.SP_PROT_TLS1_3,
+ [System.ObsoleteAttribute("SslProtocols.Default has been deprecated and is not supported.")]
Default = Ssl3 | Tls
}
Link="Common\System\Net\SecurityStatusPal.cs" />
<Compile Include="$(CommonPath)System\HexConverter.cs"
Link="Common\System\HexConverter.cs" />
+ <Compile Include="$(CommonPath)System\Obsoletions.cs"
+ Link="Common\System\Obsoletions.cs" />
</ItemGroup>
<!-- This file depends on IANA registry. We do not want anyone's build to break after the update -->
<!-- or if they don't have internet connection - explicit opt-in required -->
switch (protocol)
{
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
case SslProtocols.Tls:
protocolSessionsOpen = ref _sessionsOpenTls10;
handshakeDurationCounter = _handshakeDurationTls10Counter;
protocolSessionsOpen = ref _sessionsOpenTls11;
handshakeDurationCounter = _handshakeDurationTls11Counter;
break;
+#pragma warning restore SYSLIB0039
case SslProtocols.Tls12:
protocolSessionsOpen = ref _sessionsOpenTls12;
switch (protocol)
{
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
case SslProtocols.Tls:
count = Interlocked.Decrement(ref _sessionsOpenTls10);
break;
case SslProtocols.Tls11:
count = Interlocked.Decrement(ref _sessionsOpenTls11);
break;
+#pragma warning restore SYSLIB0039
case SslProtocols.Tls12:
count = Interlocked.Decrement(ref _sessionsOpenTls12);
private const int InitialBufferSize = 2048;
private static readonly SslProtocols[] s_orderedSslProtocols = new SslProtocols[]
{
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
SslProtocols.Tls,
SslProtocols.Tls11,
+#pragma warning restore SYSLIB0039
SslProtocols.Tls12,
SslProtocols.Tls13,
};
Interop.AndroidCrypto.SSLStreamInitialize(handle, isServer, readCallback, writeCallback, InitialBufferSize);
if (credential.Protocols != SslProtocols.None)
- {;
+ {
SslProtocols protocolsToEnable = credential.Protocols & s_supportedSslProtocols.Value;
if (protocolsToEnable == 0)
{
SslProtocols.Ssl2,
SslProtocols.Ssl3,
#pragma warning restore 0618
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
SslProtocols.Tls,
SslProtocols.Tls11,
+#pragma warning restore SYSLIB0039
SslProtocols.Tls12
};
#pragma warning disable 0618 // 'SslProtocols.Ssl3' is obsolete
"SSLv3" => SslProtocols.Ssl3,
#pragma warning restore
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
"TLSv1" => SslProtocols.Tls,
"TLSv1.1" => SslProtocols.Tls11,
+#pragma warning restore SYSLIB0039
"TLSv1.2" => SslProtocols.Tls12,
"TLSv1.3" => SslProtocols.Tls13,
_ => SslProtocols.None,
{
if (b[5] == '\0')
{
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
return SslProtocols.Tls;
}
else if (b[5] == '.' && b[6] != '\0' && b[7] == '\0')
switch (b[6])
{
case (byte)'1': return SslProtocols.Tls11;
+#pragma warning restore SYSLIB0039
case (byte)'2': return SslProtocols.Tls12;
case (byte)'3': return SslProtocols.Tls13;
}
{
SslClientAuthenticationOptions options = new SslClientAuthenticationOptions()
{
- TargetHost = targetHost,
- ClientCertificates = clientCertificates,
+ TargetHost = targetHost,
+ ClientCertificates = clientCertificates,
EnabledSslProtocols = enabledSslProtocols,
CertificateRevocationCheckMode = checkCertificateRevocation ? X509RevocationMode.Online : X509RevocationMode.NoCheck,
EncryptionPolicy = _encryptionPolicy,
}
#pragma warning restore
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
if ((proto & SslProtocols.Tls) != 0)
{
ret |= SslProtocols.Tls;
{
ret |= SslProtocols.Tls11;
}
+#pragma warning restore SYSLIB0039
if ((proto & SslProtocols.Tls12) != 0)
{
{
if (frame.Length < 5 || frame[1] < 3)
{
- return - 1;
+ return -1;
}
return ((frame[3] << 8) | frame[4]) + HeaderSize;
// Check if we have full frame.
bool isComplete = frame.Length >= HeaderSize + info.Header.Length;
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
if (((int)info.Header.Version >= (int)SslProtocols.Tls) &&
+#pragma warning restore SYSLIB0039
(info.HandshakeType == TlsHandshakeType.ClientHello || info.HandshakeType == TlsHandshakeType.ServerHello))
{
if (!TryParseHelloFrame(frame.Slice(HeaderSize), ref info, options, callback))
{
SslProtocols.Tls13 => s_protocolMismatch13,
SslProtocols.Tls12 => s_protocolMismatch12,
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
SslProtocols.Tls11 => s_protocolMismatch11,
SslProtocols.Tls => s_protocolMismatch10,
+#pragma warning restore SYSLIB0039
#pragma warning disable 0618
SslProtocols.Ssl3 => s_protocolMismatch30,
#pragma warning restore 0618
{
return CreateProtocolVersionAlert(version);
}
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
else if ((int)version > (int)SslProtocols.Tls)
+#pragma warning restore SYSLIB0039
{
// Create TLS1.2 alert
byte[] buffer = new byte[] { (byte)TlsContentType.Alert, 3, 3, 0, 2, 2, (byte)reason };
case SslProtocols.Tls13:
buffer[2] = 4;
break;
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
case SslProtocols.Tls11:
buffer[2] = 2;
break;
case SslProtocols.Tls:
buffer[2] = 1;
break;
+#pragma warning restore SYSLIB0039
}
return buffer;
{
4 => SslProtocols.Tls13,
3 => SslProtocols.Tls12,
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
2 => SslProtocols.Tls11,
1 => SslProtocols.Tls,
+#pragma warning restore SYSLIB0039
#pragma warning disable 0618
0 => SslProtocols.Ssl3,
#pragma warning restore 0618
await Assert.ThrowsAsync<AuthenticationException>(
() => ClientAsyncSslHelper(
EncryptionPolicy.NoEncryption,
- SslProtocolSupport.DefaultSslProtocols, SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12));
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
+ SslProtocolSupport.DefaultSslProtocols, SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12));
+#pragma warning restore SYSLIB0039
}
[Theory]
var supportedProtocols = new SslProtocolSupport.SupportedSslProtocolsTestData();
foreach (var serverProtocols in supportedProtocols)
- foreach (var clientProtocols in supportedProtocols)
{
- SslProtocols serverProtocol = (SslProtocols)serverProtocols[0];
- SslProtocols clientProtocol = (SslProtocols)clientProtocols[0];
-
- if (clientProtocol != serverProtocol)
+ foreach (var clientProtocols in supportedProtocols)
{
- yield return new object[] { clientProtocol, serverProtocol, typeof(AuthenticationException) };
+ SslProtocols serverProtocol = (SslProtocols)serverProtocols[0];
+ SslProtocols clientProtocol = (SslProtocols)clientProtocols[0];
+
+ if (clientProtocol != serverProtocol)
+ {
+ yield return new object[] { clientProtocol, serverProtocol, typeof(AuthenticationException) };
+ }
}
}
}
private VerboseTestLogging _log;
private TcpListener _listener;
private bool _useSsl;
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
private SslProtocols _sslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;
+#pragma warning restore SYSLIB0039
private EncryptionPolicy _sslEncryptionPolicy;
private IPEndPoint _remoteEndPoint;
private DummyTcpServerReceiveCallback _receiveCallback;
using (var sslStream = new SslStream(client.GetStream(), false, AllowAnyServerCertificate, null, EncryptionPolicy.NoEncryption))
{
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
// null encryption is not permitted with Tls13
- await sslStream.AuthenticateAsClientAsync("localhost", null, SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12, false);
+ await sslStream.AuthenticateAsClientAsync("localhost", null, SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12, false);
+#pragma warning restore SYSLIB0039
_log.WriteLine("Client authenticated to server({0}) with encryption cipher: {1} {2}-bit strength",
serverAllowNoEncryption.RemoteEndPoint, sslStream.CipherAlgorithm, sslStream.CipherStrength);
public async Task ServerAsyncAuthenticate_SniSetVersion_Success(SslProtocols version)
{
var serverOptions = new SslServerAuthenticationOptions() { ServerCertificate = _serverCertificate, EnabledSslProtocols = version };
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
var clientOptions = new SslClientAuthenticationOptions() { TargetHost = _serverCertificate.GetNameInfo(X509NameType.SimpleName, forIssuer: false), EnabledSslProtocols = SslProtocols.Tls11 | SslProtocols.Tls12 };
+#pragma warning restore SYSLIB0039
clientOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true;
(SslStream client, SslStream server) = TestHelper.GetConnectedSslStreams();
var supportedProtocols = new SslProtocolSupport.SupportedSslProtocolsTestData();
foreach (var serverProtocols in supportedProtocols)
- foreach (var clientProtocols in supportedProtocols)
{
- SslProtocols serverProtocol = (SslProtocols)serverProtocols[0];
- SslProtocols clientProtocol = (SslProtocols)clientProtocols[0];
-
- if (clientProtocol != serverProtocol)
+ foreach (var clientProtocols in supportedProtocols)
{
- yield return new object[] { clientProtocol, serverProtocol, typeof(AuthenticationException) };
+ SslProtocols serverProtocol = (SslProtocols)serverProtocols[0];
+ SslProtocols clientProtocol = (SslProtocols)clientProtocols[0];
+
+ if (clientProtocol != serverProtocol)
+ {
+ yield return new object[] { clientProtocol, serverProtocol, typeof(AuthenticationException) };
+ }
}
}
}
{
if (PlatformDetection.SupportsTls11)
{
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
yield return new object[] { SslProtocols.Tls11 };
+#pragma warning restore SYSLIB0039
}
if (PlatformDetection.SupportsTls12)
using (SslStream sslClientStream = new SslStream(
clientStream,
false,
- delegate {
+ delegate
+ {
// Allow any certificate from the server.
// Note that simply ignoring exceptions from AuthenticateAsClientAsync() is not enough
// because in Mono, certificate validation is performed during the handshake and a failure
string serverName = TestHelper.GetTestSNIName(nameof(ServerAsyncSslHelper), clientSslProtocols, serverSslProtocols);
_log.WriteLine("Connected on {0} {1} ({2} {3})", clientStream.Socket.LocalEndPoint, clientStream.Socket.RemoteEndPoint, clientStream.Socket.Handle, serverStream.Socket.Handle);
- _log.WriteLine("client SslStream#{0} server SslStream#{1}", sslClientStream.GetHashCode(), sslServerStream.GetHashCode());
+ _log.WriteLine("client SslStream#{0} server SslStream#{1}", sslClientStream.GetHashCode(), sslServerStream.GetHashCode());
_logVerbose.WriteLine("ServerAsyncAuthenticateTest.AuthenticateAsClientAsync start.");
Task clientAuthentication = sslClientStream.AuthenticateAsClientAsync(
using (var sslStream = new SslStream(client.GetStream(), false, AllowAnyServerCertificate, null, EncryptionPolicy.AllowNoEncryption))
{
- await sslStream.AuthenticateAsClientAsync("localhost", null, SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12, false);
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
+ await sslStream.AuthenticateAsClientAsync("localhost", null, SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12, false);
+#pragma warning restore SYSLIB0039
_log.WriteLine("Client authenticated to server({0}) with encryption cipher: {1} {2}-bit strength",
serverNoEncryption.RemoteEndPoint, sslStream.CipherAlgorithm, sslStream.CipherStrength);
{
if (SupportsNullEncryption)
{
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
// null encryption is not permitted with Tls13
- await sslStream.AuthenticateAsClientAsync("localhost", null, SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12, false);
+ await sslStream.AuthenticateAsClientAsync("localhost", null, SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12, false);
+#pragma warning restore SYSLIB0039
_log.WriteLine("Client authenticated to server({0}) with encryption cipher: {1} {2}-bit strength",
serverNoEncryption.RemoteEndPoint, sslStream.CipherAlgorithm, sslStream.CipherStrength);
using (var sslStream = new SslStream(client.GetStream(), false, AllowAnyServerCertificate, null, EncryptionPolicy.NoEncryption))
{
await Assert.ThrowsAsync(TestConfiguration.SupportsHandshakeAlerts ? typeof(AuthenticationException) : typeof(IOException), () =>
- sslStream.AuthenticateAsClientAsync("localhost", null, SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12, false));
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
+ sslStream.AuthenticateAsClientAsync("localhost", null, SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12, false));
+#pragma warning restore SYSLIB0039
}
}
}
List<SslApplicationProtocol> serverAppProtocols = new List<SslApplicationProtocol> { SslApplicationProtocol.Http11, SslApplicationProtocol.Http2 };
X509RevocationMode serverRevocation = X509RevocationMode.NoCheck;
bool serverCertRequired = false;
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
SslProtocols serverSslProtocols = SslProtocols.Tls11 | SslProtocols.Tls12;
+#pragma warning restore SYSLIB0039
EncryptionPolicy serverEncryption = EncryptionPolicy.AllowNoEncryption;
RemoteCertificateValidationCallback serverRemoteCallback = new RemoteCertificateValidationCallback(delegate { return true; });
SslStreamCertificateContext certificateContext = SslStreamCertificateContext.Create(serverCert, null, false);
[ConditionalClass(typeof(PlatformDetection), nameof(PlatformDetection.SupportsTls11))]
public sealed class SslStreamTls11NetworkConformanceTests : SslStreamDefaultNetworkConformanceTests
{
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
protected override SslProtocols GetSslProtocols() => SslProtocols.Tls11;
+#pragma warning restore SYSLIB0039
}
[ConditionalClass(typeof(PlatformDetection), nameof(PlatformDetection.SupportsTls12))]
public class NegotiatedCipherSuiteTest
{
#pragma warning disable CS0618 // Ssl2 and Ssl3 are obsolete
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
public const SslProtocols AllProtocols =
SslProtocols.Ssl2 | SslProtocols.Ssl3 |
SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12 | SslProtocols.Tls13;
#pragma warning restore CS0618
+#pragma warning restore SYSLIB0039
public const SslProtocols NonTls13Protocols = AllProtocols & (~SslProtocols.Tls13);
private static Dictionary<SslProtocols, HashSet<TlsCipherSuite>> s_protocolCipherSuiteLookup = new Dictionary<SslProtocols, HashSet<TlsCipherSuite>>()
{
{ SslProtocols.Tls12, s_tls12CipherSuiteLookup },
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
{ SslProtocols.Tls11, s_tls10And11CipherSuiteLookup },
{ SslProtocols.Tls, s_tls10And11CipherSuiteLookup },
+#pragma warning restore SYSLIB0039
};
private static Lazy<bool> s_cipherSuitePolicySupported = new Lazy<bool>(() =>
}
[Theory]
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
[InlineData(SslProtocols.Tls)]
[InlineData(SslProtocols.Tls11)]
+#pragma warning restore SYSLIB0039
[InlineData(SslProtocols.Tls12)]
public void NegotiatedCipherSuite_SslProtocolIsLowerThanTls13_ShouldMatchTheProtocol(SslProtocols protocol)
{
if (PlatformDetection.SupportsTls12 && (PlatformDetection.SupportsTls10 || PlatformDetection.SupportsTls11))
{
// OpenSSL 1.0 where new is Tls12
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
clientProtocol = SslProtocols.Tls | SslProtocols.Tls11;
+#pragma warning restore SYSLIB0039
serverProtocol = SslProtocols.Tls12;
}
else if (PlatformDetection.SupportsTls12 && PlatformDetection.SupportsTls13)
SslClientAuthenticationOptions clientOptions = new SslClientAuthenticationOptions()
{
TargetHost = Guid.NewGuid().ToString("N"),
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
EnabledSslProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12,
+#pragma warning restore SYSLIB0039
};
clientOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true;
clientOptions.LocalCertificateSelectionCallback = (sender, targetHost, localCertificates, remoteCertificate, acceptableIssuers) =>
SslClientAuthenticationOptions clientOptions = new SslClientAuthenticationOptions()
{
TargetHost = Guid.NewGuid().ToString("N"),
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
EnabledSslProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12,
+#pragma warning restore SYSLIB0039
};
clientOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true;
clientOptions.LocalCertificateSelectionCallback = (sender, targetHost, localCertificates, remoteCertificate, acceptableIssuers) =>
return sendClientCertificate ? clientCertificate : null;
};
- SslServerAuthenticationOptions serverOptions = new SslServerAuthenticationOptions() { ServerCertificate = serverCertificate,
- AllowRenegotiation = false };
+ SslServerAuthenticationOptions serverOptions = new SslServerAuthenticationOptions()
+ {
+ ServerCertificate = serverCertificate,
+ AllowRenegotiation = false
+ };
serverOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) =>
{
if (negotiateClientCertificateCalled && sendClientCertificate)
SslClientAuthenticationOptions clientOptions = new SslClientAuthenticationOptions()
{
TargetHost = Guid.NewGuid().ToString("N"),
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
EnabledSslProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12,
+#pragma warning restore SYSLIB0039
};
clientOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true;
// Send application data instead of Client hello.
await client.WriteAsync(new byte[500], cts.Token);
// Fail as it is not allowed to receive non handshake frames during handshake.
- await Assert.ThrowsAsync<InvalidOperationException>(()=> t);
+ await Assert.ThrowsAsync<InvalidOperationException>(() => t);
}
}
SslClientAuthenticationOptions clientOptions = new SslClientAuthenticationOptions()
{
TargetHost = Guid.NewGuid().ToString("N"),
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
EnabledSslProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12,
+#pragma warning restore SYSLIB0039
};
clientOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true;
clientOptions.LocalCertificateSelectionCallback = (sender, targetHost, localCertificates, remoteCertificate, acceptableIssuers) =>
int read = await server.ReadAsync(buffer, cts.Token);
// Fail as there are still some undrained data (incomplete incoming TLS frame)
- await Assert.ThrowsAsync<InvalidOperationException>(()=>
+ await Assert.ThrowsAsync<InvalidOperationException>(() =>
server.NegotiateClientCertificateAsync(cts.Token)
);
SslClientAuthenticationOptions clientOptions = new SslClientAuthenticationOptions()
{
TargetHost = Guid.NewGuid().ToString("N"),
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
EnabledSslProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12,
+#pragma warning restore SYSLIB0039
};
clientOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true;
clientOptions.LocalCertificateSelectionCallback = (sender, targetHost, localCertificates, remoteCertificate, acceptableIssuers) =>
{
int split = Random.Shared.Next(0, certificates.serverChain.Count - 1);
- var clientOptions = new SslClientAuthenticationOptions() { TargetHost = "localhost" };
+ var clientOptions = new SslClientAuthenticationOptions() { TargetHost = "localhost" };
clientOptions.RemoteCertificateValidationCallback =
(sender, certificate, chain, sslPolicyErrors) =>
{
public async Task SslStream_UntrustedCaWithCustomCallback_Throws(bool customCallback)
{
string errorMessage;
- var clientOptions = new SslClientAuthenticationOptions() { TargetHost = "localhost" };
+ var clientOptions = new SslClientAuthenticationOptions() { TargetHost = "localhost" };
if (customCallback)
{
clientOptions.RemoteCertificateValidationCallback =
}
}
- var clientOptions = new SslClientAuthenticationOptions() { TargetHost = "localhost", };
+ var clientOptions = new SslClientAuthenticationOptions() { TargetHost = "localhost", };
clientOptions.RemoteCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true;
clientOptions.LocalCertificateSelectionCallback = (sender, target, certificates, remoteCertificate, issuers) => clientCertificate;
c.Dispose();
}
- foreach (SslStream s in streams)
+ foreach (SslStream s in streams)
{
s.Dispose();
}
}
#pragma warning restore 0618
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
if (PlatformDetection.SupportsTls11)
{
yield return new object[] { SslProtocolSupport.NonTls13Protocols, SslProtocols.Tls11 };
yield return new object[] { SslProtocols.Tls11, SslProtocolSupport.NonTls13Protocols };
}
+#pragma warning restore SYSLIB0039
if (PlatformDetection.SupportsTls12)
{
#pragma warning restore 0618
{
Assert.True(
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
(_clientStream.SslProtocol == SslProtocols.Tls11 && _clientStream.HashAlgorithm == HashAlgorithmType.Sha1) ||
+#pragma warning restore SYSLIB0039
_clientStream.HashAlgorithm == HashAlgorithmType.Sha256 ||
_clientStream.HashAlgorithm == HashAlgorithmType.Sha384 ||
_clientStream.HashAlgorithm == HashAlgorithmType.Sha512,
TlsFrameHelper.TlsFrameInfo info = default;
Assert.True(TlsFrameHelper.TryGetFrameInfo(s_Tls12ClientHello, ref info));
+#pragma warning disable SYSLIB0039
Assert.Equal(SslProtocols.Tls, info.Header.Version);
- Assert.Equal(SslProtocols.Tls|SslProtocols.Tls12, info.SupportedVersions);
+ Assert.Equal(SslProtocols.Tls | SslProtocols.Tls12, info.SupportedVersions);
+#pragma warning restore SYSLIB0039
Assert.Equal(TlsFrameHelper.ApplicationProtocolInfo.Http11 | TlsFrameHelper.ApplicationProtocolInfo.Http2, info.ApplicationProtocols);
}
TlsFrameHelper.TlsFrameInfo info = default;
Assert.True(TlsFrameHelper.TryGetFrameInfo(s_Tls13ClientHello, ref info));
+#pragma warning disable SYSLIB0039
Assert.Equal(SslProtocols.Tls, info.Header.Version);
Assert.Equal(SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12 | SslProtocols.Tls13, info.SupportedVersions);
+#pragma warning restore SYSLIB0039
Assert.Equal(TlsFrameHelper.ApplicationProtocolInfo.Other, info.ApplicationProtocols);
}
#pragma warning disable CS0618
Ssl3 = SslProtocols.Ssl3,
#pragma warning restore CS0618
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
Tls = SslProtocols.Tls,
Tls11 = SslProtocols.Tls11,
+#pragma warning restore SYSLIB0039
Tls12 = SslProtocols.Tls12,
Tls13 = SslProtocols.Tls13,
}