Mark SslProtocols.Tls and SslProtocols.Tls11 as obsolete (dotnet#65773)

Fixes dotnet#65546

Author: rzikm

docs/project/list-of-diagnostics.md

@@ -92,6 +92,8 @@ The PR that reveals the implementation of the `<IncludeInternalObsoleteAttribute
 |  __`SYSLIB0035`__ | ComputeCounterSignature without specifying a CmsSigner is obsolete and is not supported. Use the overload that accepts a CmsSigner. |
 |  __`SYSLIB0036`__ | Regex.CompileToAssembly is obsolete and not supported. Use RegexGeneratorAttribute with the regular expression source generator instead. |
 |  __`SYSLIB0037`__ | AssemblyName members HashAlgorithm, ProcessorArchitecture, and VersionCompatibility are obsolete and not supported. |
+|  __`SYSLIB0038`__ | SerializationFormat.Binary is obsolete and should not be used. See https://aka.ms/serializationformat-binary-obsolete for more information. |
+|  __`SYSLIB0039`__ | TLS versions 1.0 and 1.1 have known vulnerabilities and are not recommended. Use a newer TLS version instead, or use SslProtocols.None to defer to OS defaults. |
 
 ## Analyzer Warnings
 

src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs

@@ -99,7 +99,9 @@ private static SslProtocols CalculateEffectiveProtocols(SslAuthenticationOptions
                     // we are using default settings but cipher suites policy says that TLS 1.3
                     // is not compatible with our settings (i.e. we requested no encryption or disabled
                     // all TLS 1.3 cipher suites)
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
                     protocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
+#pragma warning restore SYSLIB0039
                 }
                 else
                 {

src/libraries/Common/src/System/Net/SecurityProtocol.cs

@@ -11,7 +11,9 @@ internal static class SecurityProtocol
 #if !NETSTANDARD2_0 && !NETSTANDARD2_1 && !NETFRAMEWORK
             SslProtocols.Tls13 |
 #endif
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
             SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
+#pragma warning restore SYSLIB0039
 
         public const SslProtocols SystemDefaultSecurityProtocols = SslProtocols.None;
     }

src/libraries/Common/src/System/Obsoletions.cs

@@ -126,5 +126,8 @@ internal static class Obsoletions
 
         internal const string SystemDataSerializationFormatBinaryMessage = "SerializationFormat.Binary is obsolete and should not be used. See https://aka.ms/serializationformat-binary-obsolete for more information.";
         internal const string SystemDataSerializationFormatBinaryDiagId = "SYSLIB0038";
+
+        internal const string TlsVersion10and11Message = "TLS versions 1.0 and 1.1 have known vulnerabilities and are not recommended. Use a newer TLS version instead, or use SslProtocols.None to defer to OS defaults.";
+        internal const string TlsVersion10and11DiagId = "SYSLIB0039";
     }
 }

src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.AcceptAllCerts.cs

@@ -36,19 +36,23 @@ public void SingletonReturnsTrue()
         [Theory]
         [InlineData(SslProtocols.Tls12, false)] // try various protocols to ensure we correctly set versions even when accepting all certs
         [InlineData(SslProtocols.Tls12, true)]
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
         [InlineData(SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, false)]
         [InlineData(SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, true)]
 #if !NETFRAMEWORK
         [InlineData(SslProtocols.Tls13 | SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, false)]
         [InlineData(SslProtocols.Tls13 | SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, true)]
 #endif
+#pragma warning restore SYSLIB0039
         [InlineData(SslProtocols.None, false)]
         [InlineData(SslProtocols.None, true)]
         public async Task SetDelegate_ConnectionSucceeds(SslProtocols acceptedProtocol, bool requestOnlyThisProtocol)
         {
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
             // Overriding flag for the same reason we skip tests on Catalina
             // On OSX 10.13-10.14 we can override this flag to enable the scenario
             requestOnlyThisProtocol |= PlatformDetection.IsOSX && acceptedProtocol == SslProtocols.Tls;
+#pragma warning restore SYSLIB0039
 
             using (HttpClientHandler handler = CreateHttpClientHandler())
             using (HttpClient client = CreateHttpClient(handler))
@@ -65,11 +69,13 @@ public async Task SetDelegate_ConnectionSucceeds(SslProtocols acceptedProtocol,
                     // restrictions on minimum TLS/SSL version
                     // We currently know that some platforms like Debian 10 OpenSSL
                     // will by default block < TLS 1.2
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
 #if !NETFRAMEWORK
                     handler.SslProtocols = SslProtocols.Tls13 | SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;
 #else
                     handler.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;
 #endif
+#pragma warning restore SYSLIB0039
                 }
 
                 var options = new LoopbackServer.Options { UseSsl = true, SslProtocols = acceptedProtocol };

src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.SslProtocols.cs

@@ -36,6 +36,7 @@ public void DefaultProtocols_MatchesExpected()
 
         [Theory]
         [InlineData(SslProtocols.None)]
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
         [InlineData(SslProtocols.Tls)]
         [InlineData(SslProtocols.Tls11)]
         [InlineData(SslProtocols.Tls12)]
@@ -50,6 +51,7 @@ public void DefaultProtocols_MatchesExpected()
         [InlineData(SslProtocols.Tls | SslProtocols.Tls13)]
         [InlineData(SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12 | SslProtocols.Tls13)]
 #endif
+#pragma warning restore SYSLIB0039
         public void SetGetProtocols_Roundtrips(SslProtocols protocols)
         {
             using (HttpClientHandler handler = CreateHttpClientHandler())
@@ -119,12 +121,14 @@ public async Task GetAsync_AllowedSSLVersion_Succeeds(SslProtocols acceptedProto
                     // We currently know that some platforms like Debian 10 OpenSSL
                     // will by default block < TLS 1.2
 #pragma warning disable 0618 // SSL2/3 are deprecated
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
 #if !NETFRAMEWORK
                     handler.SslProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12 | SslProtocols.Tls13;
 #else
                     handler.SslProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12 | (SslProtocols)12288;
 #endif
 #pragma warning restore 0618
+#pragma warning restore SYSLIB0039
                 }
 
                 // Use a different SNI for each connection to prevent TLS 1.3 renegotiation issue: https://github.com/dotnet/runtime/issues/47378
@@ -162,6 +166,7 @@ public static IEnumerable<object[]> SupportedSSLVersionServers()
                 yield return new object[] { SslProtocols.Ssl3, Configuration.Http.SSLv3RemoteServer };
             }
 #pragma warning restore 0618
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
             if (PlatformDetection.SupportsTls10)
             {
                 yield return new object[] { SslProtocols.Tls, Configuration.Http.TLSv10RemoteServer };
@@ -171,6 +176,7 @@ public static IEnumerable<object[]> SupportedSSLVersionServers()
             {
                 yield return new object[] { SslProtocols.Tls11, Configuration.Http.TLSv11RemoteServer };
             }
+#pragma warning restore SYSLIB0039
 
             if (PlatformDetection.SupportsTls12)
             {
@@ -262,16 +268,20 @@ await TestHelper.WhenAllCompletedOrAnyFailed(
         [InlineData(SslProtocols.Ssl2, SslProtocols.Tls12)]
         [InlineData(SslProtocols.Ssl3, SslProtocols.Tls12)]
 #pragma warning restore 0618
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
         [InlineData(SslProtocols.Tls11, SslProtocols.Tls)]
         [InlineData(SslProtocols.Tls11 | SslProtocols.Tls12, SslProtocols.Tls)] // Skip this on WinHttpHandler.
         [InlineData(SslProtocols.Tls12, SslProtocols.Tls11)]
         [InlineData(SslProtocols.Tls, SslProtocols.Tls12)]
+#pragma warning restore SYSLIB0039
         public async Task GetAsync_AllowedClientSslVersionDiffersFromServer_ThrowsException(
             SslProtocols allowedClientProtocols, SslProtocols acceptedServerProtocols)
         {
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
             if (IsWinHttpHandler &&
                 allowedClientProtocols == (SslProtocols.Tls11 | SslProtocols.Tls12) &&
                 acceptedServerProtocols == SslProtocols.Tls)
+#pragma warning restore SYSLIB0039
             {
                 // Native WinHTTP sometimes uses multiple TCP connections to try other TLS protocols when
                 // getting TLS protocol failures as part of its TLS fallback algorithm. The loopback server

src/libraries/Common/tests/System/Net/Http/LoopbackServer.cs

@@ -436,7 +436,9 @@ public Options()
 #if !NETSTANDARD2_0 && !NETFRAMEWORK
                 SslProtocols.Tls13 |
 #endif
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
                 SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
+#pragma warning restore SYSLIB0039
             }
         }
 

src/libraries/Common/tests/System/Net/SslProtocolSupport.cs

@@ -14,9 +14,11 @@ public class SslProtocolSupport
 #if !NETSTANDARD2_0
             SslProtocols.Tls13 |
 #endif
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
             SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;
 
         public const SslProtocols NonTls13Protocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
+#pragma warning restore SYSLIB0039
 
         public static SslProtocols SupportedSslProtocols
         {
@@ -29,6 +31,7 @@ public static SslProtocols SupportedSslProtocols
                     supported |= SslProtocols.Ssl3;
                 }
 #pragma warning restore 0618
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
                 if (PlatformDetection.SupportsTls10)
                 {
                     supported |= SslProtocols.Tls;
@@ -38,6 +41,7 @@ public static SslProtocols SupportedSslProtocols
                 {
                     supported |= SslProtocols.Tls11;
                 }
+#pragma warning restore SYSLIB0039
 
                 if (PlatformDetection.SupportsTls12)
                 {

src/libraries/System.Net.Http.WinHttpHandler/src/System/Net/Http/WinHttpHandler.cs

@@ -1188,6 +1188,7 @@ private void SetSessionHandleTlsOptions(SafeWinHttpHandle sessionHandle)
             }
 #pragma warning restore 0618
 
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
             if ((sslProtocols & SslProtocols.Tls) != 0)
             {
                 optionData |= Interop.WinHttp.WINHTTP_FLAG_SECURE_PROTOCOL_TLS1;
@@ -1197,6 +1198,7 @@ private void SetSessionHandleTlsOptions(SafeWinHttpHandle sessionHandle)
             {
                 optionData |= Interop.WinHttp.WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1;
             }
+#pragma warning restore SYSLIB0039
 
             if ((sslProtocols & SslProtocols.Tls12) != 0)
             {

src/libraries/System.Net.Http.WinHttpHandler/tests/UnitTests/WinHttpHandlerTest.cs

@@ -562,7 +562,9 @@ public void SslProtocols_SetUsingNone_Success()
 
         [Theory]
         [InlineData(
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
             SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12,
+#pragma warning restore SYSLIB0039
             Interop.WinHttp.WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 |
             Interop.WinHttp.WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 |
             Interop.WinHttp.WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2)]

src/libraries/System.Net.Primitives/ref/System.Net.Primitives.cs

@@ -516,9 +516,11 @@ public enum SslProtocols
         Ssl2 = 12,
         [System.ObsoleteAttribute("SslProtocols.Ssl3 has been deprecated and is not supported.")]
         Ssl3 = 48,
+        [System.ObsoleteAttribute("TLS versions 1.0 and 1.1 have known vulnerabilities and are not recommended. Use a newer TLS version instead, or use SslProtocols.None to defer to OS defaults.", DiagnosticId = "SYSLIB0039", UrlFormat = "https://aka.ms/dotnet-warnings/{0}")]
         Tls = 192,
         [System.ObsoleteAttribute("SslProtocols.Default has been deprecated and is not supported.")]
         Default = 240,
+        [System.ObsoleteAttribute("TLS versions 1.0 and 1.1 have known vulnerabilities and are not recommended. Use a newer TLS version instead, or use SslProtocols.None to defer to OS defaults.", DiagnosticId = "SYSLIB0039", UrlFormat = "https://aka.ms/dotnet-warnings/{0}")]
         Tls11 = 768,
         Tls12 = 3072,
         Tls13 = 12288,
@@ -528,8 +530,8 @@ namespace System.Security.Authentication.ExtendedProtection
 {
     public abstract partial class ChannelBinding : Microsoft.Win32.SafeHandles.SafeHandleZeroOrMinusOneIsInvalid
     {
-        protected ChannelBinding() : base (default(bool)) { }
-        protected ChannelBinding(bool ownsHandle) : base (default(bool)) { }
+        protected ChannelBinding() : base(default(bool)) { }
+        protected ChannelBinding(bool ownsHandle) : base(default(bool)) { }
         public abstract int Size { get; }
     }
     public enum ChannelBindingKind

src/libraries/System.Net.Primitives/src/System.Net.Primitives.csproj

@@ -86,6 +86,9 @@
              Link="Common\Interop\Windows\SChannel\Interop.SchProtocols.cs" />
     <Compile Include="$(CommonPath)Interop\Windows\WinSock\Interop.ErrorCodes.cs"
              Link="Common\Interop\Windows\WinSock\Interop.ErrorCodes.cs" />
+    <!-- Common -->
+    <Compile Include="$(CommonPath)System\Obsoletions.cs" 
+             Link="Common\System\Obsoletions.cs" />
   </ItemGroup>
   <ItemGroup Condition="'$(TargetPlatformIdentifier)' == 'windows'">
     <Compile Include="System\Net\SocketException.Windows.cs" />

src/libraries/System.Net.Primitives/src/System/Net/SecureProtocols/SslEnumTypes.cs

@@ -10,12 +10,17 @@ namespace System.Security.Authentication
     public enum SslProtocols
     {
         None = 0,
+        [System.ObsoleteAttribute("SslProtocols.Ssl2 has been deprecated and is not supported.")]
         Ssl2 = Interop.SChannel.SP_PROT_SSL2,
+        [System.ObsoleteAttribute("SslProtocols.Ssl3 has been deprecated and is not supported.")]
         Ssl3 = Interop.SChannel.SP_PROT_SSL3,
+        [System.ObsoleteAttribute(Obsoletions.TlsVersion10and11Message, DiagnosticId = Obsoletions.TlsVersion10and11DiagId, UrlFormat = Obsoletions.SharedUrlFormat)]
         Tls = Interop.SChannel.SP_PROT_TLS1_0,
+        [System.ObsoleteAttribute(Obsoletions.TlsVersion10and11Message, DiagnosticId = Obsoletions.TlsVersion10and11DiagId, UrlFormat = Obsoletions.SharedUrlFormat)]
         Tls11 = Interop.SChannel.SP_PROT_TLS1_1,
         Tls12 = Interop.SChannel.SP_PROT_TLS1_2,
         Tls13 = Interop.SChannel.SP_PROT_TLS1_3,
+        [System.ObsoleteAttribute("SslProtocols.Default has been deprecated and is not supported.")]
         Default = Ssl3 | Tls
     }
 

src/libraries/System.Net.Security/src/System.Net.Security.csproj

@@ -94,6 +94,8 @@
              Link="Common\System\Net\SecurityStatusPal.cs" />
     <Compile Include="$(CommonPath)System\HexConverter.cs"
              Link="Common\System\HexConverter.cs" />
+    <Compile Include="$(CommonPath)System\Obsoletions.cs" 
+             Link="Common\System\Obsoletions.cs" />
   </ItemGroup>
   <!-- This file depends on IANA registry. We do not want anyone's build to break after the update -->
   <!-- or if they don't have internet connection - explicit opt-in required -->

src/libraries/System.Net.Security/src/System/Net/Security/NetSecurityTelemetry.cs

@@ -179,6 +179,7 @@ public void HandshakeCompleted(SslProtocols protocol, ValueStopwatch stopwatch,
 
             switch (protocol)
             {
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
                 case SslProtocols.Tls:
                     protocolSessionsOpen = ref _sessionsOpenTls10;
                     handshakeDurationCounter = _handshakeDurationTls10Counter;
@@ -188,6 +189,7 @@ public void HandshakeCompleted(SslProtocols protocol, ValueStopwatch stopwatch,
                     protocolSessionsOpen = ref _sessionsOpenTls11;
                     handshakeDurationCounter = _handshakeDurationTls11Counter;
                     break;
+#pragma warning restore SYSLIB0039
 
                 case SslProtocols.Tls12:
                     protocolSessionsOpen = ref _sessionsOpenTls12;
@@ -220,13 +222,15 @@ public void ConnectionClosed(SslProtocols protocol)
 
             switch (protocol)
             {
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
                 case SslProtocols.Tls:
                     count = Interlocked.Decrement(ref _sessionsOpenTls10);
                     break;
 
                 case SslProtocols.Tls11:
                     count = Interlocked.Decrement(ref _sessionsOpenTls11);
                     break;
+#pragma warning restore SYSLIB0039
 
                 case SslProtocols.Tls12:
                     count = Interlocked.Decrement(ref _sessionsOpenTls12);

src/libraries/System.Net.Security/src/System/Net/Security/Pal.Android/SafeDeleteSslContext.cs

@@ -22,8 +22,10 @@ internal sealed class SafeDeleteSslContext : SafeDeleteContext
         private const int InitialBufferSize = 2048;
         private static readonly SslProtocols[] s_orderedSslProtocols = new SslProtocols[]
         {
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
             SslProtocols.Tls,
             SslProtocols.Tls11,
+#pragma warning restore SYSLIB0039
             SslProtocols.Tls12,
             SslProtocols.Tls13,
         };
@@ -224,7 +226,7 @@ private static void InitializeSslContext(
             Interop.AndroidCrypto.SSLStreamInitialize(handle, isServer, readCallback, writeCallback, InitialBufferSize);
 
             if (credential.Protocols != SslProtocols.None)
-            {;
+            {
                 SslProtocols protocolsToEnable = credential.Protocols & s_supportedSslProtocols.Value;
                 if (protocolsToEnable == 0)
                 {

src/libraries/System.Net.Security/src/System/Net/Security/Pal.OSX/SafeDeleteSslContext.cs

@@ -339,8 +339,10 @@ internal int ReadPendingWrites(byte[] buf, int offset, int count)
             SslProtocols.Ssl2,
             SslProtocols.Ssl3,
 #pragma warning restore 0618
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
             SslProtocols.Tls,
             SslProtocols.Tls11,
+#pragma warning restore SYSLIB0039
             SslProtocols.Tls12
         };
 

src/libraries/System.Net.Security/src/System/Net/Security/SslConnectionInfo.Android.cs

@@ -17,8 +17,10 @@ public SslConnectionInfo(SafeSslHandle sslContext)
 #pragma warning disable 0618 // 'SslProtocols.Ssl3' is obsolete
                 "SSLv3" => SslProtocols.Ssl3,
 #pragma warning restore
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
                 "TLSv1" => SslProtocols.Tls,
                 "TLSv1.1" => SslProtocols.Tls11,
+#pragma warning restore SYSLIB0039
                 "TLSv1.2" => SslProtocols.Tls12,
                 "TLSv1.3" => SslProtocols.Tls13,
                 _ => SslProtocols.None,

src/libraries/System.Net.Security/src/System/Net/Security/SslConnectionInfo.Linux.cs

@@ -48,13 +48,15 @@ private unsafe SslProtocols MapProtocolVersion(IntPtr protocolVersion)
                 {
                     if (b[5] == '\0')
                     {
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
                         return SslProtocols.Tls;
                     }
                     else if (b[5] == '.' && b[6] != '\0' && b[7] == '\0')
                     {
                         switch (b[6])
                         {
                             case (byte)'1': return SslProtocols.Tls11;
+#pragma warning restore SYSLIB0039
                             case (byte)'2': return SslProtocols.Tls12;
                             case (byte)'3': return SslProtocols.Tls13;
                         }

src/libraries/System.Net.Security/src/System/Net/Security/SslStream.cs

@@ -455,8 +455,8 @@ public virtual Task AuthenticateAsClientAsync(string targetHost, X509Certificate
         {
             SslClientAuthenticationOptions options = new SslClientAuthenticationOptions()
             {
-                TargetHost =  targetHost,
-                ClientCertificates =  clientCertificates,
+                TargetHost = targetHost,
+                ClientCertificates = clientCertificates,
                 EnabledSslProtocols = enabledSslProtocols,
                 CertificateRevocationCheckMode = checkCertificateRevocation ? X509RevocationMode.Online : X509RevocationMode.NoCheck,
                 EncryptionPolicy = _encryptionPolicy,
@@ -600,6 +600,7 @@ private SslProtocols GetSslProtocolInternal()
             }
 #pragma warning restore
 
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
             if ((proto & SslProtocols.Tls) != 0)
             {
                 ret |= SslProtocols.Tls;
@@ -609,6 +610,7 @@ private SslProtocols GetSslProtocolInternal()
             {
                 ret |= SslProtocols.Tls11;
             }
+#pragma warning restore SYSLIB0039
 
             if ((proto & SslProtocols.Tls12) != 0)
             {