Skip to content

Fall back to TLSv1.2 when System.Security.Authentication.SslProtocols.None is disabled/unavailable #766

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Mar 24, 2020
Merged

Fall back to TLSv1.2 when System.Security.Authentication.SslProtocols.None is disabled/unavailable #766

merged 4 commits into from
Mar 24, 2020

Conversation

michaelklishin
Copy link
Contributor

Proposed Changes

See #764 for the background. In some environments, we cannot assume
that SslProtocols.None will behave as expected:

  • It can be disabled via app context and other means
  • Its effective behavior is different between .NET versions according
    to .NET community blog posts and GitHub issues

So we borrow from [1] and special case this exception to retry with an
explicitly defined version (TLSv1.2, same as modern .NET default).

The discussion in [2] should also be mentioned as they have led us
to a much better understanding of many aspects of this intricate setting.

Types of Changes

Checklist

  • I have read the CONTRIBUTING.md document
  • I have signed the CA (see https://cla.pivotal.io/sign/rabbitmq)
  • All tests pass locally with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)
  • Any dependent changes have been merged and published in related repositories

Further Comments

Should address #764.

  1. mysql-net/MySqlConnector@715c3b5
  2. ArgumentException when using SslProtocols.None robinrodricks/FluentFTP#452 (comment)

@michaelklishin
Fall back to TLSv1.2 when System.Security.Authentication.SslProtocols…
8398be5 
….None is disabled/unavailable

See #764 for background. In some environments we cannot assume
that SslProtocols.None will behave as expected:

 * It can be disabled via app context and other means
 * Its effective behavior is different between .NET versions according
   to .NET community blog posts and GitHub issues

So we borrow from [1] and special case this exception to retry with an
explicitly defined version (TLSv1.2, same as modern .NET default).

The discussion in [2] should also be mentioned as they have lead us
to understanding of many aspects of this intricate setting.

1. mysql-net/MySqlConnector@715c3b5
2. robinrodricks/FluentFTP#452 (comment)
@michaelklishin michaelklishin mentioned this pull request Mar 23, 2020
Closed
bording
bording reviewed Mar 23, 2020
View reviewed changes
@michaelklishin
Use assembly visibility here
25d2636 
Per @bording suggestion.

Plus some drive by cosmetic comment changes.
@michaelklishin
Update APIApproval test expectations
aed0758
bording
bording reviewed Mar 23, 2020
View reviewed changes
@bording
Copy link
Collaborator

bording commented Mar 23, 2020

FYI there will be some conflicts between this and #763 because I've made SslHelper internal and moved the file to to the impl folder.

@michaelklishin
Remove ConnectionFactory#Tls alias
304f976 
The dream of eradicating "SSL" everywhere we can over a decade
after the name has been deprecated is still alive, though.

(cherry picked from commit 1631482)
@bording
Copy link
Collaborator

bording commented Mar 23, 2020

The dream of eradicating "SSL" everywhere we can over a decade
after the name has been deprecated is still alive, though.

@michaelklishin Since we're already making breaking changes for 6.0, we could consider just renaming this class and dropping "SSL".

michaelklishin referenced this pull request Mar 23, 2020
@lukebakken
Let operating system choose which TLS version to use
fe39d6e 
This is the recommendation according to the official docs:

https://docs.microsoft.com/en-us/dotnet/api/system.security.authentication.sslprotocols?view=netcore-2.2
@michaelklishin
Copy link
Contributor Author

Given that 6.0 introduces substantial resource footprint improvements, I'd like the upgrade to it to be as straightforward as possible, so renaming can wait. "SSL" in naming is probably not something many care about anyway.

@michaelklishin
Copy link
Contributor Author

@bording I suspect this PR will go in first as it is arguably a bug fix. I'm afraid some adjustments ot your PR would be necessary. I can do them if you want.

@bording
Copy link
Collaborator

bording commented Mar 23, 2020

@bording I suspect this PR will go in first as it is arguably a bug fix. I'm afraid some adjustments ot your PR would be necessary. I can do them if you want.

I can make the adjustments.

@lukebakken lukebakken self-assigned this Mar 23, 2020
@lukebakken lukebakken added this to the 6.0.0 milestone Mar 23, 2020
@lukebakken lukebakken merged commit 4577442 into master Mar 24, 2020
@lukebakken lukebakken deleted the rabbitmq-dotnet-client-764 branch March 24, 2020 15:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bording bording bording left review comments

@lukebakken lukebakken lukebakken approved these changes

Assignees

@lukebakken lukebakken

Labels
bug effort-low
Projects
None yet
Milestone
6.0.0
Development

Successfully merging this pull request may close these issues.
3 participants
@michaelklishin @bording @lukebakken