-
Notifications
You must be signed in to change notification settings - Fork 109
Check the default TLS algorithms between a net461 client and a Core server. #252
Comments
Yes. The tests were showing Kestrel and HttpClient using different defaults for TLS algorithms/versions and failing to connect. We need to check the matrix of client, server, net461, netcoreapp2.0, and netcoreapp2.1. |
@Tratcher Is this because Kestrel is using TLS1.2 and .net461 doesn't support it? Is this a matter of setting What was the exact mismatch, is there anything else that can be configured? |
The error did not specify what the mismatch was. I'm debugging it now. |
Ok, yes this is an issue with the ServicePointManager.SecurityProtocol default as expected. For net461 it still defaults to SecurityProtocolType.Tls | SecurityProtocolType.Ssl3 (Kestrel's defaults are SslProtocols.Tls12 | SslProtocols.Tls11). The client's defaults were changed in 4.7 https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/retargeting/4.6.2-4.7#networking So the net461 client and server defaults are incompatible. @blowdart This looks like an adoption blocker. Workaround: change the client or server value. |
Is this only for 461 or does it also affect 462. If it’s only 461 I don’t think this is a blocker as 461 is not a supported release. @Eilon can confirm. The workaround is to tell customers to change the client. The defaults on the server should be the most current and secure IMO |
You need to change the client. Not the server. Obviously. |
I think we can close this as by design and provide guidance on docs. We should file an issue on the docs repo and fill in some details for when the writers get to write docs for 2.1 @Tratcher I leave it up to you. |
Everything before 4.7 is affected. |
Calling out HttpClient 4.6 in the Kestrel docs seems a bit out of place. Note this is not a new problem, it's been this way since 1.0.0-rc2. aspnet/KestrelHttpServer#637. I don't see any complaints about this in the Kestrel repo or StackOverflow. I'm going to close this for now and we can react if we get additional feedback. |
@Tratcher Works for me |
From #251
Some tests started failing only on net461 with an algorithm conflict. We need to check the default TLS algorithms between a net461 HttpClient and a Core server.
@Tratcher is this accurate?
The text was updated successfully, but these errors were encountered: