-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change supported TLS protocol versions #1096
Comments
@csaba-sagi-sonarsource Can you help me understand what the current code enforces? Does it restrict users from using newer (more secure) TLS versions such as 1.3? I think it's desirable to let the OS negotiate the most secure TLS version it can and we stay out of it if that's possible, could we just set to SystemDefault? It seems the SQ does not do anythin specific and it is left to the server configuration. |
The current code enforces the usage of TLS 1.0, 1.1 and 1.2 and restricts the usage of any other version (1.3). If we use the SystemDefault we might still end up using versions 1.0 and 1.1 as they are enabled even for Windows11. However administrators have the possibility to configure the OS to enforce newer versions. |
@csaba-sagi-sonarsource my only mention is that according to https://docs.microsoft.com/en-us/dotnet/api/system.net.servicepointmanager.securityprotocol?view=net-6.0 , it is SystemDefault only for |
You are right, I'll take a look what is the default value on lover versions, as It might be that it will not work for those versions. |
The WebClientDownloader supports only TLS1.0, TLS1.1 and TLS1.2 versions, but the latest is TLS1.3 which should be supported too.
Where possible the SystemDefault version should be used which allows the operating system to choose the best protocol to use, and to block protocols that are not secure. For other cases versions TLS1.0, TLS1.1, TLS1.2 and TLS1.3 should be set.
The text was updated successfully, but these errors were encountered: