Fall back to TLSv1.2 when System.Security.Authentication.SslProtocols.None is disabled/unavailable

See #764 for background. In some environments we cannot assume
that SslProtocols.None will behave as expected:

 * It can be disabled via app context and other means
 * Its effective behavior is different between .NET versions according
   to .NET community blog posts and GitHub issues

So we borrow from [1] and special case this exception to retry with an
explicitly defined version (TLSv1.2, same as modern .NET default).

The discussion in [2] should also be mentioned as they have lead us
to understanding of many aspects of this intricate setting.

1. mysql-net/MySqlConnector@715c3b5
2. robinrodricks/FluentFTP#452 (comment)

Author: michaelklishin

projects/client/RabbitMQ.Client/src/client/api/SslHelper.cs

@@ -41,6 +41,7 @@
 using System;
 using System.IO;
 using System.Net.Security;
+using System.Security.Authentication;
 using System.Security.Cryptography.X509Certificates;
 
 namespace RabbitMQ.Client
@@ -59,21 +60,32 @@ private SslHelper(SslOption sslOption)
         }
 
         /// <summary>
-        /// Upgrade a Tcp stream to an Ssl stream using the SSL options provided.
+        /// Upgrade a Tcp stream to an Ssl stream using the TLS options provided.
         /// </summary>
-        public static Stream TcpUpgrade(Stream tcpStream, SslOption sslOption)
+        public static Stream TcpUpgrade(Stream tcpStream, SslOption options)
         {
-            var helper = new SslHelper(sslOption);
+            var helper = new SslHelper(options);
 
             RemoteCertificateValidationCallback remoteCertValidator =
-                sslOption.CertificateValidationCallback ?? helper.CertificateValidationCallback;
+                options.CertificateValidationCallback ?? helper.CertificateValidationCallback;
             LocalCertificateSelectionCallback localCertSelector =
-                sslOption.CertificateSelectionCallback ?? helper.CertificateSelectionCallback;
+                options.CertificateSelectionCallback ?? helper.CertificateSelectionCallback;
 
             var sslStream = new SslStream(tcpStream, false, remoteCertValidator, localCertSelector);
 
-            sslStream.AuthenticateAsClientAsync(sslOption.ServerName, sslOption.Certs, sslOption.Version,
-                                                sslOption.CheckCertificateRevocation).GetAwaiter().GetResult();
+            Action<SslOption> TryAuthenticating = (SslOption opts) => {
+                sslStream.AuthenticateAsClientAsync(opts.ServerName, opts.Certs, opts.Version,
+                                                    opts.CheckCertificateRevocation).GetAwaiter().GetResult();
+            };
+            try {
+                TryAuthenticating(options);
+            } catch(ArgumentException e) when (e.ParamName == "sslProtocolType" && options.Version == SslProtocols.None) {
+                // SslProtocols.None is dysfunctional in this environment, possibly due to TLS version restrictions
+                // in the app context, system or .NET version-specific behavior. See rabbitmq/rabbitmq-dotnet-client#764
+                // for background.
+                options.UseFallbackTlsVersions();
+                TryAuthenticating(options);
+            }
 
             return sslStream;
         }

projects/client/RabbitMQ.Client/src/client/api/SslOption.cs

@@ -149,5 +149,16 @@ public X509CertificateCollection Certs
         /// Retrieve or set the Ssl protocol version.
         /// </summary>
         public SslProtocols Version { get; set; }
+
+        /// <summary>
+        /// Reconfigures the instance to enable/use TLSv1.2.
+        /// Only used in environments where System.Security.Authentication.SslProtocols.None
+        /// is unavailable or effectively disabled, as reported by System.Net.ServicePointManager.
+        /// </summary>
+        public SslProtocols UseFallbackTlsVersions()
+        {
+            this.Version = SslProtocols.Tls12;
+            return Version;
+        }
     }
 }