rabbitmq · lukebakken · Mar 24, 2020 · Mar 23, 2020 · Mar 23, 2020 · Mar 23, 2020
diff --git a/projects/client/RabbitMQ.Client/src/client/api/AmqpTcpEndpoint.cs b/projects/client/RabbitMQ.Client/src/client/api/AmqpTcpEndpoint.cs
@@ -184,11 +184,6 @@ public IProtocol Protocol
         /// </summary>
         public SslOption Ssl { get; set; }
 
-        public SslOption Tls { 
-            get { return this.Ssl; }
-            set { this.Ssl = value; }
-        }
-
         /// <summary>
         /// Construct an instance from a protocol and an address in "hostname:port" format.
         /// </summary>

diff --git a/projects/client/RabbitMQ.Client/src/client/api/ConnectionFactory.cs b/projects/client/RabbitMQ.Client/src/client/api/ConnectionFactory.cs
@@ -245,14 +245,6 @@ public TimeSpan ContinuationTimeout
         /// </summary>
         public SslOption Ssl { get; set; } = new SslOption();
 
-        /// <summary>
-        /// TLS options setting.
-        /// </summary>
-        public SslOption Tls {
-            get { return this.Ssl; }
-            set { this.Ssl = value; }
-        }
-
         /// <summary>
         /// Set to false to make automatic connection recovery not recover topology (exchanges, queues, bindings, etc).
         /// Defaults to true.

diff --git a/projects/client/RabbitMQ.Client/src/client/api/SslHelper.cs b/projects/client/RabbitMQ.Client/src/client/api/SslHelper.cs
@@ -41,6 +41,7 @@
 using System;
 using System.IO;
 using System.Net.Security;
+using System.Security.Authentication;
 using System.Security.Cryptography.X509Certificates;
 
 namespace RabbitMQ.Client
@@ -59,21 +60,32 @@ private SslHelper(SslOption sslOption)
         }
 
         /// <summary>
-        /// Upgrade a Tcp stream to an Ssl stream using the SSL options provided.
+        /// Upgrade a Tcp stream to an Ssl stream using the TLS options provided.
         /// </summary>
-        public static Stream TcpUpgrade(Stream tcpStream, SslOption sslOption)
+        public static Stream TcpUpgrade(Stream tcpStream, SslOption options)
         {
-            var helper = new SslHelper(sslOption);
+            var helper = new SslHelper(options);
 
             RemoteCertificateValidationCallback remoteCertValidator =
-                sslOption.CertificateValidationCallback ?? helper.CertificateValidationCallback;
+                options.CertificateValidationCallback ?? helper.CertificateValidationCallback;
             LocalCertificateSelectionCallback localCertSelector =
-                sslOption.CertificateSelectionCallback ?? helper.CertificateSelectionCallback;
+                options.CertificateSelectionCallback ?? helper.CertificateSelectionCallback;
 
             var sslStream = new SslStream(tcpStream, false, remoteCertValidator, localCertSelector);
 
-            sslStream.AuthenticateAsClientAsync(sslOption.ServerName, sslOption.Certs, sslOption.Version,
-                                                sslOption.CheckCertificateRevocation).GetAwaiter().GetResult();
+            Action<SslOption> TryAuthenticating = (SslOption opts) => {
+                sslStream.AuthenticateAsClientAsync(opts.ServerName, opts.Certs, opts.Version,
+                                                    opts.CheckCertificateRevocation).GetAwaiter().GetResult();
+            };
+            try {
+                TryAuthenticating(options);
+            } catch(ArgumentException e) when (e.ParamName == "sslProtocolType" && options.Version == SslProtocols.None) {
+                // SslProtocols.None is dysfunctional in this environment, possibly due to TLS version restrictions
+                // in the app context, system or .NET version-specific behavior. See rabbitmq/rabbitmq-dotnet-client#764
+                // for background.
+                options.UseFallbackTlsVersions();
+                TryAuthenticating(options);
+            }
 
             return sslStream;
         }

diff --git a/projects/client/RabbitMQ.Client/src/client/api/SslOption.cs b/projects/client/RabbitMQ.Client/src/client/api/SslOption.cs
@@ -75,7 +75,7 @@ public SslOption()
         }
 
         /// <summary>
-        /// Retrieve or set the set of ssl policy errors that are deemed acceptable.
+        /// Retrieve or set the set of TLS policy errors that are deemed acceptable.
         /// </summary>
         public SslPolicyErrors AcceptablePolicyErrors { get; set; }
 
@@ -90,13 +90,13 @@ public SslOption()
         public string CertPath { get; set; }
 
         /// <summary>
-        /// An optional client specified SSL certificate selection callback.  If this is not specified,
+        /// An optional client specified TLS certificate selection callback.  If this is not specified,
         /// the first valid certificate found will be used.
         /// </summary>
         public LocalCertificateSelectionCallback CertificateSelectionCallback { get; set; }
 
         /// <summary>
-        /// An optional client specified SSL certificate validation callback.  If this is not specified,
+        /// An optional client specified TLS certificate validation callback.  If this is not specified,
         /// the default callback will be used in conjunction with the <see cref="AcceptablePolicyErrors"/> property to
         /// determine if the remote server certificate is valid.
         /// </summary>
@@ -135,19 +135,30 @@ public X509CertificateCollection Certs
         public bool CheckCertificateRevocation { get; set; }
 
         /// <summary>
-        /// Flag specifying if Ssl should indeed be used.
+        /// Flag specifying if TLS should indeed be used.
         /// </summary>
         public bool Enabled { get; set; }
 
         /// <summary>
         /// Retrieve or set server's Canonical Name.
-        /// This MUST match the CN on the Certificate else the SSL connection will fail.
+        /// This MUST match the Subject Alternative Name or CN on the Certificate else the TLS connection will fail.
         /// </summary>
         public string ServerName { get; set; }
 
         /// <summary>
         /// Retrieve or set the Ssl protocol version.
         /// </summary>
         public SslProtocols Version { get; set; }
+
+        /// <summary>
+        /// Reconfigures the instance to enable/use TLSv1.2.
+        /// Only used in environments where System.Security.Authentication.SslProtocols.None
+        /// is unavailable or effectively disabled, as reported by System.Net.ServicePointManager.
+        /// </summary>
+        internal SslProtocols UseFallbackTlsVersions()
+        {
+            this.Version = SslProtocols.Tls12;
+            return Version;
+        }
     }
 }
diff --git a/projects/client/Unit/src/unit/APIApproval.Approve.approved.txt b/projects/client/Unit/src/unit/APIApproval.Approve.approved.txt
@@ -548,7 +548,7 @@ namespace RabbitMQ.Client
     }
     public class SslHelper
     {
-        public static System.IO.Stream TcpUpgrade(System.IO.Stream tcpStream, RabbitMQ.Client.SslOption sslOption) { }
+        public static System.IO.Stream TcpUpgrade(System.IO.Stream tcpStream, RabbitMQ.Client.SslOption options) { }
     }
     public class SslOption
     {

diff --git a/projects/client/Unit/src/unit/TestAmqpUri.cs b/projects/client/Unit/src/unit/TestAmqpUri.cs
@@ -172,10 +172,10 @@ private static void AssertUriPartEquivalence(ConnectionFactory cf, string user,
             Assert.AreEqual(password, cf.Password);
             Assert.AreEqual(port, cf.Port);
             Assert.AreEqual(vhost, cf.VirtualHost);
-            Assert.AreEqual(tlsEnabled, cf.Tls.Enabled);
+            Assert.AreEqual(tlsEnabled, cf.Ssl.Enabled);
 
             Assert.AreEqual(port, cf.Endpoint.Port);
-            Assert.AreEqual(tlsEnabled, cf.Endpoint.Tls.Enabled);
+            Assert.AreEqual(tlsEnabled, cf.Endpoint.Ssl.Enabled);
         }
 
         private void ParseFailWith<T>(string uri) where T : Exception