Skip to content
This repository has been archived by the owner on Nov 21, 2018. It is now read-only.

Check the default TLS algorithms between a net461 client and a Core server. #252

Closed
javiercn opened this issue Dec 22, 2017 · 10 comments
Closed

Check the default TLS algorithms between a net461 client and a Core server. #252

javiercn opened this issue Dec 22, 2017 · 10 comments
Assignees
@halter73 @Tratcher @javiercn
Labels
1 - Ready investigate Investigation item
Milestone
2.1.0-preview1

Comments

@javiercn
Copy link
Member

From #251

Some tests started failing only on net461 with an algorithm conflict. We need to check the default TLS algorithms between a net461 HttpClient and a Core server.

@Tratcher is this accurate?
@javiercn javiercn mentioned this issue Dec 22, 2017
Merged
@javiercn javiercn added 1 - Ready investigate Investigation item labels Dec 22, 2017
@javiercn javiercn added this to the 2.1.0-preview1 milestone Dec 22, 2017
@Tratcher
Copy link
Member

Yes. The tests were showing Kestrel and HttpClient using different defaults for TLS algorithms/versions and failing to connect. We need to check the matrix of client, server, net461, netcoreapp2.0, and netcoreapp2.1.

@javiercn
Copy link
Member Author

@Tratcher Is this because Kestrel is using TLS1.2 and .net461 doesn't support it? Is this a matter of setting
ServicePointManager.SecurityProtocol to TLS1.2.

What was the exact mismatch, is there anything else that can be configured?
Should we do anything at all or just tell full framework clients on net461 (which is btw, unsupported) to set it to TLS1.2 or to upgrade to a newer (and supported) version of the framework, like 462 or 4.7

@Tratcher
Copy link
Member

The error did not specify what the mismatch was. I'm debugging it now.

@Tratcher
Copy link
Member

Ok, yes this is an issue with the ServicePointManager.SecurityProtocol default as expected. For net461 it still defaults to SecurityProtocolType.Tls | SecurityProtocolType.Ssl3 (Kestrel's defaults are SslProtocols.Tls12 | SslProtocols.Tls11). The client's defaults were changed in 4.7 https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/retargeting/4.6.2-4.7#networking

So the net461 client and server defaults are incompatible. @blowdart This looks like an adoption blocker.

Workaround: change the client or server value.

@javiercn
Copy link
Member Author

Is this only for 461 or does it also affect 462. If it’s only 461 I don’t think this is a blocker as 461 is not a supported release. @Eilon can confirm. The workaround is to tell customers to change the client. The defaults on the server should be the most current and secure IMO

@blowdart
Copy link
Member

You need to change the client. Not the server. Obviously.

@javiercn
Copy link
Member Author

I think we can close this as by design and provide guidance on docs. We should file an issue on the docs repo and fill in some details for when the writers get to write docs for 2.1 @Tratcher I leave it up to you.

@Tratcher
Copy link
Member

Everything before 4.7 is affected.

@Tratcher
Copy link
Member

Calling out HttpClient 4.6 in the Kestrel docs seems a bit out of place. Note this is not a new problem, it's been this way since 1.0.0-rc2. aspnet/KestrelHttpServer#637. I don't see any complaints about this in the Kestrel repo or StackOverflow. I'm going to close this for now and we can react if we get additional feedback.

@javiercn
Copy link
Member Author

@Tratcher Works for me

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@halter73 halter73

@Tratcher Tratcher

@javiercn javiercn

Labels
1 - Ready investigate Investigation item
Projects
None yet
Milestone
2.1.0-preview1
Development

No branches or pull requests
4 participants
@halter73 @blowdart @Tratcher @javiercn