Mark SslProtocols.Tls and SslProtocols.Tls11 as obsolete (dotnet#65773)

Fixes dotnet#65546

Author: rzikm

docs/project/list-of-diagnostics.md

@@ -92,6 +92,8 @@ The PR that reveals the implementation of the `<IncludeInternalObsoleteAttribute
 |  __`SYSLIB0035`__ | ComputeCounterSignature without specifying a CmsSigner is obsolete and is not supported. Use the overload that accepts a CmsSigner. |
 |  __`SYSLIB0036`__ | Regex.CompileToAssembly is obsolete and not supported. Use RegexGeneratorAttribute with the regular expression source generator instead. |
 |  __`SYSLIB0037`__ | AssemblyName members HashAlgorithm, ProcessorArchitecture, and VersionCompatibility are obsolete and not supported. |
+|  __`SYSLIB0038`__ | SerializationFormat.Binary is obsolete and should not be used. See https://aka.ms/serializationformat-binary-obsolete for more information. |
+|  __`SYSLIB0039`__ | TLS versions 1.0 and 1.1 have known vulnerabilities and are not recommended. Use a newer TLS version instead, or use SslProtocols.None to defer to OS defaults. |
 
 ## Analyzer Warnings
 

src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs

@@ -99,7 +99,9 @@ private static SslProtocols CalculateEffectiveProtocols(SslAuthenticationOptions
                     // we are using default settings but cipher suites policy says that TLS 1.3
                     // is not compatible with our settings (i.e. we requested no encryption or disabled
                     // all TLS 1.3 cipher suites)
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
                     protocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
+#pragma warning restore SYSLIB0039
                 }
                 else
                 {

src/libraries/Common/src/System/Net/SecurityProtocol.cs

@@ -11,7 +11,9 @@ internal static class SecurityProtocol
 #if !NETSTANDARD2_0 && !NETSTANDARD2_1 && !NETFRAMEWORK
             SslProtocols.Tls13 |
 #endif
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
             SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
+#pragma warning restore SYSLIB0039
 
         public const SslProtocols SystemDefaultSecurityProtocols = SslProtocols.None;
     }

src/libraries/Common/src/System/Obsoletions.cs

@@ -126,5 +126,8 @@ internal static class Obsoletions
 
         internal const string SystemDataSerializationFormatBinaryMessage = "SerializationFormat.Binary is obsolete and should not be used. See https://aka.ms/serializationformat-binary-obsolete for more information.";
         internal const string SystemDataSerializationFormatBinaryDiagId = "SYSLIB0038";
+
+        internal const string TlsVersion10and11Message = "TLS versions 1.0 and 1.1 have known vulnerabilities and are not recommended. Use a newer TLS version instead, or use SslProtocols.None to defer to OS defaults.";
+        internal const string TlsVersion10and11DiagId = "SYSLIB0039";
     }
 }

src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.AcceptAllCerts.cs

@@ -36,19 +36,23 @@ public void SingletonReturnsTrue()
         [Theory]
         [InlineData(SslProtocols.Tls12, false)] // try various protocols to ensure we correctly set versions even when accepting all certs
         [InlineData(SslProtocols.Tls12, true)]
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
         [InlineData(SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, false)]
         [InlineData(SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, true)]
 #if !NETFRAMEWORK
         [InlineData(SslProtocols.Tls13 | SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, false)]
         [InlineData(SslProtocols.Tls13 | SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, true)]
 #endif
+#pragma warning restore SYSLIB0039
         [InlineData(SslProtocols.None, false)]
         [InlineData(SslProtocols.None, true)]
         public async Task SetDelegate_ConnectionSucceeds(SslProtocols acceptedProtocol, bool requestOnlyThisProtocol)
         {
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
             // Overriding flag for the same reason we skip tests on Catalina
             // On OSX 10.13-10.14 we can override this flag to enable the scenario
             requestOnlyThisProtocol |= PlatformDetection.IsOSX && acceptedProtocol == SslProtocols.Tls;
+#pragma warning restore SYSLIB0039
 
             using (HttpClientHandler handler = CreateHttpClientHandler())
             using (HttpClient client = CreateHttpClient(handler))
@@ -65,11 +69,13 @@ public async Task SetDelegate_ConnectionSucceeds(SslProtocols acceptedProtocol,
                     // restrictions on minimum TLS/SSL version
                     // We currently know that some platforms like Debian 10 OpenSSL
                     // will by default block < TLS 1.2
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
 #if !NETFRAMEWORK
                     handler.SslProtocols = SslProtocols.Tls13 | SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;
 #else
                     handler.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;
 #endif
+#pragma warning restore SYSLIB0039
                 }
 
                 var options = new LoopbackServer.Options { UseSsl = true, SslProtocols = acceptedProtocol };

src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.SslProtocols.cs

@@ -36,6 +36,7 @@ public void DefaultProtocols_MatchesExpected()
 
         [Theory]
         [InlineData(SslProtocols.None)]
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
         [InlineData(SslProtocols.Tls)]
         [InlineData(SslProtocols.Tls11)]
         [InlineData(SslProtocols.Tls12)]
@@ -50,6 +51,7 @@ public void DefaultProtocols_MatchesExpected()
         [InlineData(SslProtocols.Tls | SslProtocols.Tls13)]
         [InlineData(SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12 | SslProtocols.Tls13)]
 #endif
+#pragma warning restore SYSLIB0039
         public void SetGetProtocols_Roundtrips(SslProtocols protocols)
         {
             using (HttpClientHandler handler = CreateHttpClientHandler())
@@ -119,12 +121,14 @@ public async Task GetAsync_AllowedSSLVersion_Succeeds(SslProtocols acceptedProto
                     // We currently know that some platforms like Debian 10 OpenSSL
                     // will by default block < TLS 1.2
 #pragma warning disable 0618 // SSL2/3 are deprecated
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
 #if !NETFRAMEWORK
                     handler.SslProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12 | SslProtocols.Tls13;
 #else
                     handler.SslProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12 | (SslProtocols)12288;
 #endif
 #pragma warning restore 0618
+#pragma warning restore SYSLIB0039
                 }
 
                 // Use a different SNI for each connection to prevent TLS 1.3 renegotiation issue: https://github.com/dotnet/runtime/issues/47378
@@ -162,6 +166,7 @@ public static IEnumerable<object[]> SupportedSSLVersionServers()
                 yield return new object[] { SslProtocols.Ssl3, Configuration.Http.SSLv3RemoteServer };
             }
 #pragma warning restore 0618
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
             if (PlatformDetection.SupportsTls10)
             {
                 yield return new object[] { SslProtocols.Tls, Configuration.Http.TLSv10RemoteServer };
@@ -171,6 +176,7 @@ public static IEnumerable<object[]> SupportedSSLVersionServers()
             {
                 yield return new object[] { SslProtocols.Tls11, Configuration.Http.TLSv11RemoteServer };
             }
+#pragma warning restore SYSLIB0039
 
             if (PlatformDetection.SupportsTls12)
             {
@@ -262,16 +268,20 @@ await TestHelper.WhenAllCompletedOrAnyFailed(
         [InlineData(SslProtocols.Ssl2, SslProtocols.Tls12)]
         [InlineData(SslProtocols.Ssl3, SslProtocols.Tls12)]
 #pragma warning restore 0618
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
         [InlineData(SslProtocols.Tls11, SslProtocols.Tls)]
         [InlineData(SslProtocols.Tls11 | SslProtocols.Tls12, SslProtocols.Tls)] // Skip this on WinHttpHandler.
         [InlineData(SslProtocols.Tls12, SslProtocols.Tls11)]
         [InlineData(SslProtocols.Tls, SslProtocols.Tls12)]
+#pragma warning restore SYSLIB0039
         public async Task GetAsync_AllowedClientSslVersionDiffersFromServer_ThrowsException(
             SslProtocols allowedClientProtocols, SslProtocols acceptedServerProtocols)
         {
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
             if (IsWinHttpHandler &&
                 allowedClientProtocols == (SslProtocols.Tls11 | SslProtocols.Tls12) &&
                 acceptedServerProtocols == SslProtocols.Tls)
+#pragma warning restore SYSLIB0039
             {
                 // Native WinHTTP sometimes uses multiple TCP connections to try other TLS protocols when
                 // getting TLS protocol failures as part of its TLS fallback algorithm. The loopback server

src/libraries/Common/tests/System/Net/Http/LoopbackServer.cs

@@ -436,7 +436,9 @@ public Options()
 #if !NETSTANDARD2_0 && !NETFRAMEWORK
                 SslProtocols.Tls13 |
 #endif
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
                 SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
+#pragma warning restore SYSLIB0039
             }
         }
 

src/libraries/Common/tests/System/Net/SslProtocolSupport.cs

@@ -14,9 +14,11 @@ public class SslProtocolSupport
 #if !NETSTANDARD2_0
             SslProtocols.Tls13 |
 #endif
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
             SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;
 
         public const SslProtocols NonTls13Protocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
+#pragma warning restore SYSLIB0039
 
         public static SslProtocols SupportedSslProtocols
         {
@@ -29,6 +31,7 @@ public static SslProtocols SupportedSslProtocols
                     supported |= SslProtocols.Ssl3;
                 }
 #pragma warning restore 0618
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
                 if (PlatformDetection.SupportsTls10)
                 {
                     supported |= SslProtocols.Tls;
@@ -38,6 +41,7 @@ public static SslProtocols SupportedSslProtocols
                 {
                     supported |= SslProtocols.Tls11;
                 }
+#pragma warning restore SYSLIB0039
 
                 if (PlatformDetection.SupportsTls12)
                 {

src/libraries/System.Net.Http.WinHttpHandler/src/System/Net/Http/WinHttpHandler.cs

@@ -1188,6 +1188,7 @@ private void SetSessionHandleTlsOptions(SafeWinHttpHandle sessionHandle)
             }
 #pragma warning restore 0618
 
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
             if ((sslProtocols & SslProtocols.Tls) != 0)
             {
                 optionData |= Interop.WinHttp.WINHTTP_FLAG_SECURE_PROTOCOL_TLS1;
@@ -1197,6 +1198,7 @@ private void SetSessionHandleTlsOptions(SafeWinHttpHandle sessionHandle)
             {
                 optionData |= Interop.WinHttp.WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1;
             }
+#pragma warning restore SYSLIB0039
 
             if ((sslProtocols & SslProtocols.Tls12) != 0)
             {

src/libraries/System.Net.Http.WinHttpHandler/tests/UnitTests/WinHttpHandlerTest.cs

@@ -562,7 +562,9 @@ public void SslProtocols_SetUsingNone_Success()
 
         [Theory]
         [InlineData(
+#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
             SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12,
+#pragma warning restore SYSLIB0039
             Interop.WinHttp.WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 |
             Interop.WinHttp.WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 |
             Interop.WinHttp.WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2)]