Skip to content

Commit b8f1a06

Browse files
authored
Mark SslProtocols.Tls and SslProtocols.Tls11 as obsolete (dotnet#65773)
Fixes dotnet#65546
1 parent 7e35e93 commit b8f1a06

34 files changed

+161
-34
lines changed

docs/project/list-of-diagnostics.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -92,6 +92,8 @@ The PR that reveals the implementation of the `<IncludeInternalObsoleteAttribute
9292
| __`SYSLIB0035`__ | ComputeCounterSignature without specifying a CmsSigner is obsolete and is not supported. Use the overload that accepts a CmsSigner. |
9393
| __`SYSLIB0036`__ | Regex.CompileToAssembly is obsolete and not supported. Use RegexGeneratorAttribute with the regular expression source generator instead. |
9494
| __`SYSLIB0037`__ | AssemblyName members HashAlgorithm, ProcessorArchitecture, and VersionCompatibility are obsolete and not supported. |
95+
| __`SYSLIB0038`__ | SerializationFormat.Binary is obsolete and should not be used. See https://aka.ms/serializationformat-binary-obsolete for more information. |
96+
| __`SYSLIB0039`__ | TLS versions 1.0 and 1.1 have known vulnerabilities and are not recommended. Use a newer TLS version instead, or use SslProtocols.None to defer to OS defaults. |
9597

9698
## Analyzer Warnings
9799

src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -99,7 +99,9 @@ private static SslProtocols CalculateEffectiveProtocols(SslAuthenticationOptions
9999
// we are using default settings but cipher suites policy says that TLS 1.3
100100
// is not compatible with our settings (i.e. we requested no encryption or disabled
101101
// all TLS 1.3 cipher suites)
102+
#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
102103
protocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
104+
#pragma warning restore SYSLIB0039
103105
}
104106
else
105107
{

src/libraries/Common/src/System/Net/SecurityProtocol.cs

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,9 @@ internal static class SecurityProtocol
1111
#if !NETSTANDARD2_0 && !NETSTANDARD2_1 && !NETFRAMEWORK
1212
SslProtocols.Tls13 |
1313
#endif
14+
#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
1415
SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
16+
#pragma warning restore SYSLIB0039
1517

1618
public const SslProtocols SystemDefaultSecurityProtocols = SslProtocols.None;
1719
}

src/libraries/Common/src/System/Obsoletions.cs

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -126,5 +126,8 @@ internal static class Obsoletions
126126

127127
internal const string SystemDataSerializationFormatBinaryMessage = "SerializationFormat.Binary is obsolete and should not be used. See https://aka.ms/serializationformat-binary-obsolete for more information.";
128128
internal const string SystemDataSerializationFormatBinaryDiagId = "SYSLIB0038";
129+
130+
internal const string TlsVersion10and11Message = "TLS versions 1.0 and 1.1 have known vulnerabilities and are not recommended. Use a newer TLS version instead, or use SslProtocols.None to defer to OS defaults.";
131+
internal const string TlsVersion10and11DiagId = "SYSLIB0039";
129132
}
130133
}

src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.AcceptAllCerts.cs

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,19 +36,23 @@ public void SingletonReturnsTrue()
3636
[Theory]
3737
[InlineData(SslProtocols.Tls12, false)] // try various protocols to ensure we correctly set versions even when accepting all certs
3838
[InlineData(SslProtocols.Tls12, true)]
39+
#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
3940
[InlineData(SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, false)]
4041
[InlineData(SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, true)]
4142
#if !NETFRAMEWORK
4243
[InlineData(SslProtocols.Tls13 | SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, false)]
4344
[InlineData(SslProtocols.Tls13 | SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, true)]
4445
#endif
46+
#pragma warning restore SYSLIB0039
4547
[InlineData(SslProtocols.None, false)]
4648
[InlineData(SslProtocols.None, true)]
4749
public async Task SetDelegate_ConnectionSucceeds(SslProtocols acceptedProtocol, bool requestOnlyThisProtocol)
4850
{
51+
#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
4952
// Overriding flag for the same reason we skip tests on Catalina
5053
// On OSX 10.13-10.14 we can override this flag to enable the scenario
5154
requestOnlyThisProtocol |= PlatformDetection.IsOSX && acceptedProtocol == SslProtocols.Tls;
55+
#pragma warning restore SYSLIB0039
5256

5357
using (HttpClientHandler handler = CreateHttpClientHandler())
5458
using (HttpClient client = CreateHttpClient(handler))
@@ -65,11 +69,13 @@ public async Task SetDelegate_ConnectionSucceeds(SslProtocols acceptedProtocol,
6569
// restrictions on minimum TLS/SSL version
6670
// We currently know that some platforms like Debian 10 OpenSSL
6771
// will by default block < TLS 1.2
72+
#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
6873
#if !NETFRAMEWORK
6974
handler.SslProtocols = SslProtocols.Tls13 | SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;
7075
#else
7176
handler.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;
7277
#endif
78+
#pragma warning restore SYSLIB0039
7379
}
7480

7581
var options = new LoopbackServer.Options { UseSsl = true, SslProtocols = acceptedProtocol };

src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.SslProtocols.cs

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@ public void DefaultProtocols_MatchesExpected()
3636

3737
[Theory]
3838
[InlineData(SslProtocols.None)]
39+
#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
3940
[InlineData(SslProtocols.Tls)]
4041
[InlineData(SslProtocols.Tls11)]
4142
[InlineData(SslProtocols.Tls12)]
@@ -50,6 +51,7 @@ public void DefaultProtocols_MatchesExpected()
5051
[InlineData(SslProtocols.Tls | SslProtocols.Tls13)]
5152
[InlineData(SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12 | SslProtocols.Tls13)]
5253
#endif
54+
#pragma warning restore SYSLIB0039
5355
public void SetGetProtocols_Roundtrips(SslProtocols protocols)
5456
{
5557
using (HttpClientHandler handler = CreateHttpClientHandler())
@@ -119,12 +121,14 @@ public async Task GetAsync_AllowedSSLVersion_Succeeds(SslProtocols acceptedProto
119121
// We currently know that some platforms like Debian 10 OpenSSL
120122
// will by default block < TLS 1.2
121123
#pragma warning disable 0618 // SSL2/3 are deprecated
124+
#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
122125
#if !NETFRAMEWORK
123126
handler.SslProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12 | SslProtocols.Tls13;
124127
#else
125128
handler.SslProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12 | (SslProtocols)12288;
126129
#endif
127130
#pragma warning restore 0618
131+
#pragma warning restore SYSLIB0039
128132
}
129133

130134
// Use a different SNI for each connection to prevent TLS 1.3 renegotiation issue: https://github.com/dotnet/runtime/issues/47378
@@ -162,6 +166,7 @@ public static IEnumerable<object[]> SupportedSSLVersionServers()
162166
yield return new object[] { SslProtocols.Ssl3, Configuration.Http.SSLv3RemoteServer };
163167
}
164168
#pragma warning restore 0618
169+
#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
165170
if (PlatformDetection.SupportsTls10)
166171
{
167172
yield return new object[] { SslProtocols.Tls, Configuration.Http.TLSv10RemoteServer };
@@ -171,6 +176,7 @@ public static IEnumerable<object[]> SupportedSSLVersionServers()
171176
{
172177
yield return new object[] { SslProtocols.Tls11, Configuration.Http.TLSv11RemoteServer };
173178
}
179+
#pragma warning restore SYSLIB0039
174180

175181
if (PlatformDetection.SupportsTls12)
176182
{
@@ -262,16 +268,20 @@ await TestHelper.WhenAllCompletedOrAnyFailed(
262268
[InlineData(SslProtocols.Ssl2, SslProtocols.Tls12)]
263269
[InlineData(SslProtocols.Ssl3, SslProtocols.Tls12)]
264270
#pragma warning restore 0618
271+
#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
265272
[InlineData(SslProtocols.Tls11, SslProtocols.Tls)]
266273
[InlineData(SslProtocols.Tls11 | SslProtocols.Tls12, SslProtocols.Tls)] // Skip this on WinHttpHandler.
267274
[InlineData(SslProtocols.Tls12, SslProtocols.Tls11)]
268275
[InlineData(SslProtocols.Tls, SslProtocols.Tls12)]
276+
#pragma warning restore SYSLIB0039
269277
public async Task GetAsync_AllowedClientSslVersionDiffersFromServer_ThrowsException(
270278
SslProtocols allowedClientProtocols, SslProtocols acceptedServerProtocols)
271279
{
280+
#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
272281
if (IsWinHttpHandler &&
273282
allowedClientProtocols == (SslProtocols.Tls11 | SslProtocols.Tls12) &&
274283
acceptedServerProtocols == SslProtocols.Tls)
284+
#pragma warning restore SYSLIB0039
275285
{
276286
// Native WinHTTP sometimes uses multiple TCP connections to try other TLS protocols when
277287
// getting TLS protocol failures as part of its TLS fallback algorithm. The loopback server

src/libraries/Common/tests/System/Net/Http/LoopbackServer.cs

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -436,7 +436,9 @@ public Options()
436436
#if !NETSTANDARD2_0 && !NETFRAMEWORK
437437
SslProtocols.Tls13 |
438438
#endif
439+
#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
439440
SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
441+
#pragma warning restore SYSLIB0039
440442
}
441443
}
442444

src/libraries/Common/tests/System/Net/SslProtocolSupport.cs

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,9 +14,11 @@ public class SslProtocolSupport
1414
#if !NETSTANDARD2_0
1515
SslProtocols.Tls13 |
1616
#endif
17+
#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
1718
SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;
1819

1920
public const SslProtocols NonTls13Protocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
21+
#pragma warning restore SYSLIB0039
2022

2123
public static SslProtocols SupportedSslProtocols
2224
{
@@ -29,6 +31,7 @@ public static SslProtocols SupportedSslProtocols
2931
supported |= SslProtocols.Ssl3;
3032
}
3133
#pragma warning restore 0618
34+
#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
3235
if (PlatformDetection.SupportsTls10)
3336
{
3437
supported |= SslProtocols.Tls;
@@ -38,6 +41,7 @@ public static SslProtocols SupportedSslProtocols
3841
{
3942
supported |= SslProtocols.Tls11;
4043
}
44+
#pragma warning restore SYSLIB0039
4145

4246
if (PlatformDetection.SupportsTls12)
4347
{

src/libraries/System.Net.Http.WinHttpHandler/src/System/Net/Http/WinHttpHandler.cs

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1188,6 +1188,7 @@ private void SetSessionHandleTlsOptions(SafeWinHttpHandle sessionHandle)
11881188
}
11891189
#pragma warning restore 0618
11901190

1191+
#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
11911192
if ((sslProtocols & SslProtocols.Tls) != 0)
11921193
{
11931194
optionData |= Interop.WinHttp.WINHTTP_FLAG_SECURE_PROTOCOL_TLS1;
@@ -1197,6 +1198,7 @@ private void SetSessionHandleTlsOptions(SafeWinHttpHandle sessionHandle)
11971198
{
11981199
optionData |= Interop.WinHttp.WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1;
11991200
}
1201+
#pragma warning restore SYSLIB0039
12001202

12011203
if ((sslProtocols & SslProtocols.Tls12) != 0)
12021204
{

src/libraries/System.Net.Http.WinHttpHandler/tests/UnitTests/WinHttpHandlerTest.cs

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -562,7 +562,9 @@ public void SslProtocols_SetUsingNone_Success()
562562

563563
[Theory]
564564
[InlineData(
565+
#pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
565566
SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12,
567+
#pragma warning restore SYSLIB0039
566568
Interop.WinHttp.WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 |
567569
Interop.WinHttp.WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 |
568570
Interop.WinHttp.WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2)]

0 commit comments

Comments
 (0)