More docs

dotpaul · dotpaul · commit d4b46d6db3f4 · 2019-07-10T18:30:47.000-07:00
diff --git a/docs/code-quality/ca5361.md b/docs/code-quality/ca5361.md
@@ -33,8 +33,9 @@ Setting `Switch.System.Net.DontEnableSchUseStrongCrypto` to `true` weakens the c
 
 ## How to fix violations
 
-- If your application targets .NET Framework v4.6 or later, you can remove the <xref:System.AppContext.SetSwitch%2A?displayProperty=nameWithType> method call.
+- If your application targets .NET Framework v4.6 or later, you can either remove the <xref:System.AppContext.SetSwitch%2A?displayProperty=nameWithType> method call, or set the switch's value to `false`.
 - If your application targets .NET Framework earlier than v4.6, and runs on .NET Framework v4.6 or later, set the switch's value to `false`.
+- Otherwise, refer to [Transport Layer Security (TLS) best practices with the .NET Framework](/dotnet/framework/network-programming/tls) for mitigations.
 
 ## When to suppress warnings
 
diff --git a/docs/code-quality/ca5364.md b/docs/code-quality/ca5364.md
@@ -0,0 +1,110 @@
+---
+title: "CA5364: Do Not Use Deprecated Security Protocols"
+ms.date: 07/10/2019
+ms.topic: reference
+author: dotpaul
+ms.author: paulming
+manager: jillfra
+dev_langs:
+ - CSharp
+ - VB
+ms.workload:
+  - "multiple"
+f1_keywords:
+  - "CA5364"
+  - "DoNotUseDeprecatedSecurityProtocols"
+---
+# CA5364: Do Not Use Deprecated Security Protocols
+
+|||
+|-|-|
+|TypeName|DoNotUseDeprecatedSecurityProtocols|
+|CheckId|CA5364|
+|Category|Microsoft.Security|
+|Breaking Change|Non Breaking|
+
+## Cause
+
+- A deprecated <xref:System.Net.SecurityProtocolType?displayProperty=nameWithType> value was referenced.
+- An integer value representing a deprecated value was assigned to a <xref:System.Net.SecurityProtocolType> variable.
+
+Deprecated values are:
+- Ssl3
+- Tls
+- Tls10
+- Tls11
+
+## Rule description
+
+Transport Layer Security (TLS) secures communication between computers, most commonly with Hypertext Transfer Protocol Secure (HTTPS). Older protocol versions of TLS are less secure than TLS 1.2 and TLS 1.3, and are more at risk of vulnerabilities being discovered in the future. You should avoid older protocol versions to minimize risk. For guidance on identifying and removing deprecated protocol versions, see [Solving the TLS 1.0 Problem, 2nd Edition](/security/solving-tls1-problem).
+
+## How to fix violations
+
+Don't use deprecated TLS protocol versions.
+
+## When to suppress warnings
+
+- It's safe to suppress this warning if the reference to the deprecated protocol version isn't being used to enable a deprecated version.
+- You can suppress this warning if you need to connect to a legacy service, which can't be upgraded to use secure TLS configurations.
+
+## Pseudo-code examples
+
+### Violation
+
+```csharp
+using System;
+using System.Net;
+
+public class ExampleClass
+{
+    public void ExampleMethod()
+    {
+        // CA5364 violation
+        ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
+    }
+}
+```
+
+```vb
+Imports System
+Imports System.Net
+
+Public Class TestClass
+    Public Sub ExampleMethod()
+        ' CA5364 violation
+        ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11 Or SecurityProtocolType.Tls12
+    End Sub
+End Class
+```
+
+### Solution
+
+```csharp
+using System;
+using System.Net;
+
+public class TestClass
+{
+    public void TestMethod()
+    {
+        // Let the operating system decide what TLS protocol version to use.
+        // See https://docs.microsoft.com/dotnet/framework/network-programming/tls
+    }
+}
+```
+
+```vb
+Imports System
+Imports System.Net
+
+Public Class TestClass
+    Public Sub ExampleMethod()
+        ' Let the operating system decide what TLS protocol version to use.
+        ' See https://docs.microsoft.com/dotnet/framework/network-programming/tls
+    End Sub
+End Class
+```
+
+## Related rules
+
+[CA5386: Avoid hardcoding SecurityProtocolType value](ca5386.md)
diff --git a/docs/code-quality/ca5378.md b/docs/code-quality/ca5378.md
@@ -0,0 +1,94 @@
+---
+title: "CA5378: Do not disable ServicePointManagerSecurityProtocols"
+ms.date: 07/10/2019
+ms.topic: reference
+author: dotpaul
+ms.author: paulming
+manager: jillfra
+dev_langs:
+ - CSharp
+ - VB
+ms.workload:
+  - "multiple"
+f1_keywords:
+  - "CA5378"
+  - "DoNotSetSwitch"
+---
+# CA5378: Do not disable ServicePointManagerSecurityProtocols
+
+|||
+|-|-|
+|TypeName|DoNotSetSwitch|
+|CheckId|CA5378|
+|Category|Microsoft.Security|
+|Breaking Change|Non Breaking|
+
+## Cause
+
+A <xref:System.AppContext.SetSwitch%2A?displayProperty=nameWithType> method call sets `Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols` to `true`.
+
+## Rule description
+
+Setting `Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols` to `true` limits Windows Communication Framework's (WCF) Transport Layer Security (TLS) connections to using TLS 1.0. That version of TLS will be deprecated. For more information, see [Transport Layer Security (TLS) best practices with the .NET Framework](/dotnet/framework/network-programming/tls#switchsystemservicemodeldisableusingservicepointmanagersecurityprotocols).
+
+## How to fix violations
+
+- If your application targets .NET Framework v4.7 or later, you can either remove the <xref:System.AppContext.SetSwitch%2A?displayProperty=nameWithType> method call, or set the switch's value to `false`.
+- If your application targets .NET Framework v4.6.2 or earlier, and runs on .NET Framework v4.7 or later, set the switch's value to `false`.
+- Otherwise, refer to [Transport Layer Security (TLS) best practices with the .NET Framework](/dotnet/framework/network-programming/tls) for mitigations.
+
+## When to suppress warnings
+
+You can suppress this warning if you need to connect to a legacy service, which can't be upgraded to use secure TLS configurations.
+
+## Pseudo-code examples
+
+### Violation
+
+```csharp
+using System;
+
+public class ExampleClass
+{
+    public void ExampleMethod()
+    {
+        // CA5378 violation
+        AppContext.SetSwitch("Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols", true);
+    }
+}
+```
+
+```vb
+Imports System
+
+Public Class ExampleClass
+    Public Sub ExampleMethod()
+        ' CA5378 violation
+        AppContext.SetSwitch("Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols", true)
+    End Sub
+End Class
+```
+
+### Solution
+
+```csharp
+using System;
+
+public class ExampleClass
+{
+    public void ExampleMethod()
+    {
+        AppContext.SetSwitch("Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols", false);
+    }
+}
+```
+
+```vb
+Imports System
+
+Public Class ExampleClass
+    Public Sub ExampleMethod()
+        AppContext.SetSwitch("Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols", false)
+    End Sub
+End Class
+```
diff --git a/docs/code-quality/ca5386.md b/docs/code-quality/ca5386.md
@@ -0,0 +1,107 @@
+---
+title: "CA5386: Avoid hardcoding SecurityProtocolType value"
+ms.date: 07/10/2019
+ms.topic: reference
+author: dotpaul
+ms.author: paulming
+manager: jillfra
+dev_langs:
+ - CSharp
+ - VB
+ms.workload:
+  - "multiple"
+f1_keywords:
+  - "CA5386"
+  - "DoNotUseDeprecatedSecurityProtocols"
+---
+# CA5386: Avoid hardcoding SecurityProtocolType value
+
+|||
+|-|-|
+|TypeName|DoNotUseDeprecatedSecurityProtocols|
+|CheckId|CA5386|
+|Category|Microsoft.Security|
+|Breaking Change|Non Breaking|
+
+## Cause
+
+- A safe but hardcoded <xref:System.Net.SecurityProtocolType?displayProperty=nameWithType> value was referenced.
+- An integer value representing a safe protocol version was assigned to a <xref:System.Net.SecurityProtocolType> variable.
+
+Safe values are:
+- Tls12
+- Tls13
+
+## Rule description
+
+Transport Layer Security (TLS) secures communication between computers, most commonly with Hypertext Transfer Protocol Secure (HTTPS). Protocol versions TLS 1.0 and TLS 1.1 are deprecated, while TLS 1.2 and TLS 1.3 are current. In the future, newer protocol versions of TLS may be deployed, and then TLS 1.2 or TLS 1.3 may be deprecated if security flaws are discovered. To ensure that your application remains secure, avoid hardcoding a protocol version and target at least .NET Framework v4.7.1. For more details, see [Transport Layer Security (TLS) best practices with the .NET Framework](/dotnet/framework/network-programming/tls).
+
+## How to fix violations
+
+Don't use hardcode TLS protocol versions.
+
+## When to suppress warnings
+
+You can suppress this warning if you need to connect to a legacy service, which can't be upgraded to use secure TLS configurations.
+
+## Pseudo-code examples
+
+### Violation
+
+```csharp
+using System;
+using System.Net;
+
+public class ExampleClass
+{
+    public void ExampleMethod()
+    {
+        // CA5386 violation
+        ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
+    }
+}
+```
+
+```vb
+Imports System
+Imports System.Net
+
+Public Class TestClass
+    Public Sub ExampleMethod()
+        ' CA5386 violation
+        ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
+    End Sub
+End Class
+```
+
+### Solution
+
+```csharp
+using System;
+using System.Net;
+
+public class TestClass
+{
+    public void TestMethod()
+    {
+        // Let the operating system decide what TLS protocol version to use.
+        // See https://docs.microsoft.com/dotnet/framework/network-programming/tls
+    }
+}
+```
+
+```vb
+Imports System
+Imports System.Net
+
+Public Class TestClass
+    Public Sub ExampleMethod()
+        ' Let the operating system decide what TLS protocol version to use.
+        ' See https://docs.microsoft.com/dotnet/framework/network-programming/tls
+    End Sub
+End Class
+```
+
+## Related rules
+
+[CA5364: Do Not Use Deprecated Security Protocols](ca5364.md)
diff --git a/docs/code-quality/toc.yml b/docs/code-quality/toc.yml
@@ -690,6 +690,14 @@
           href: ca3077-insecure-processing-in-api-design-xml-document-and-xml-text-reader.md
         - name: "CA3147: Mark verb handlers with ValidateAntiForgeryToken"
           href: ca3147-mark-verb-handlers-with-validateantiforgerytoken.md
+        - name: "CA5361: Do Not Disable SChannel Use of Strong Crypto"
+          href: ca5361.md
+        - name: "CA5364: Do Not Use Deprecated Security Protocols"
+          href: ca5364.md
+        - name: "CA5378: Do not disable ServicePointManagerSecurityProtocols"
+          href: ca5378.md
+        - name: "CA5386: Avoid hardcoding SecurityProtocolType value"
+          href: ca5386.md
       - name: Usage warnings
         items:
         - name: Overview
