Client should not enforce Tls12 only

[jonnybee]

protected BaseClient(ClientConfiguration clientConfiguration)
{
  ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
  ......
}

BaseClient should not change the SecurityProtocol like this in an application. Effectively this changes the behavior for ALL new ServicePoints to only accept Tls12 connections on SSL as ServicePointManager is a static class.
See: https://docs.microsoft.com/en-us/dotnet/api/system.net.servicepointmanager?view=netframework-4.8

.NET 4.8/NET CORE 3.0 preview 9 includes support for Tls13 and I regard it as a bad decision to have an client api that change this behavior for the host application.
See: https://docs.microsoft.com/en-us/dotnet/api/system.net.securityprotocoltype?view=netframework-4.8

Your APIs on the serversside however should only accept Tls1.2 (or Tls1.3) connections.

I would propose to change the code to:

  ServicePointManager.SecurityProtocol = ServicePointManager.SecurityProtocol |
     SecuritySecurityProtocolType.Tls12;

which would ensure that Tls12 is enabled on the client.

Or you could remove this entirely and add this as a requirement in the documentation.

[jonnybee]

My opinion is that a client api should not change the global config of the host app. So the proper solution should be to remove this setting of ServicePointManager.SecurityProtocol and make sure to document this requirement in the docs.

[asjafjell]

What you suggest here is noteworthy and should definitely be looked into - the client should not set this globally. Let us look into what the default setting is for dotnet 2.1 projects across platforms, and set a default value if needed. If I understand this correctly, this line of code will actually change protocol for other applications running on the same host, and that is bad.

[jonnybee]

Yes, as the ServicePointManager is a static class this changes the allowed security protocols for the host application that use the api altho not for other applications. This is an api client librarary and it should not make global changes in the host application.

Did a small test myself on default values for ServicePointManager.SecurityProtocol:
.Net 4.6: Tls, Tls11, Tls12
.Net 4.8: Tls, Tls11, Tls12, Tls13

Starting with the .NET Framework 4.7, the default value of this property is SecurityProtocolType.SystemDefault (0) and description:
Allows the operating system to choose the best protocol to use, and to block protocols that are not secure. Unless your app has a specific reason not to, you should use this value.

I tested with .Net Core 2.1 and also here the default value is SecurityProtocolType.SystemDefault.

Tested with .Net Core 3.0.100-rc2 in LinqPad6 and the default here is Tls11, Tls12, Tls13.

[asjafjell]

This is now fixed in release 6.0.0