From 8070c416ec42d2b6576aea645f90a50b272cf75c Mon Sep 17 00:00:00 2001 From: wfurt Date: Tue, 12 Apr 2022 22:41:17 +0000 Subject: [PATCH 1/3] improve Tls12 detection on Windows7 --- .../TestUtilities/System/PlatformDetection.cs | 26 ++++++++++++++----- 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs b/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs index 27e973d5980f40..3209c79b9ae012 100644 --- a/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs +++ b/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs @@ -361,7 +361,7 @@ private static bool GetIsInContainer() return (IsLinux && File.Exists("/.dockerenv")); } - private static bool GetProtocolSupportFromWindowsRegistry(SslProtocols protocol, bool defaultProtocolSupport) + private static bool GetProtocolSupportFromWindowsRegistry(SslProtocols protocol, bool defaultProtocolSupport, bool disabledByDefault = false) { string registryProtocolName = protocol switch { @@ -381,13 +381,18 @@ private static bool GetProtocolSupportFromWindowsRegistry(SslProtocols protocol, string serverKey = @$"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{registryProtocolName}\Server"; object client, server; + object clientDefault, serverDefault; try { client = Registry.GetValue(clientKey, "Enabled", defaultProtocolSupport ? 1 : 0); server = Registry.GetValue(serverKey, "Enabled", defaultProtocolSupport ? 1 : 0); - if (client is int c && server is int s) + + clientDefault = Registry.GetValue(clientKey, "DisabledByDefault", 1); + serverDefault = Registry.GetValue(serverKey, "DisabledByDefault", 1); + + if (client is int c && server is int s && clientDefault is int cd && serverDefault is int sd) { - return c == 1 && s == 1; + return (c == 1 && s == 1) && (!disabledByDefault || (cd == 0 && sd == 0)); } } catch (SecurityException) @@ -468,9 +473,18 @@ private static bool GetTls11Support() private static bool GetTls12Support() { - // TLS 1.1 and 1.2 can work on Windows7 but it is not enabled by default. - bool defaultProtocolSupport = !IsWindows7; - return GetProtocolSupportFromWindowsRegistry(SslProtocols.Tls12, defaultProtocolSupport); + if (IsWindows) + { + // TLS 1.1 and 1.2 can work on Windows7 but it is not enabled by default. + if (IsWindows7) + { + return GetProtocolSupportFromWindowsRegistry(SslProtocols.Tls12, false, true); + } + + return GetProtocolSupportFromWindowsRegistry(SslProtocols.Tls12, true); + } + + return true; } private static bool GetTls13Support() From a76693e3edbff0fad9448bf43d0fa39efd0e4884 Mon Sep 17 00:00:00 2001 From: wfurt Date: Tue, 12 Apr 2022 23:51:39 +0000 Subject: [PATCH 2/3] fix Tls11 --- .../tests/TestUtilities/System/PlatformDetection.cs | 8 ++++++-- .../tests/FunctionalTests/SslStreamSystemDefaultsTest.cs | 1 - 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs b/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs index 3209c79b9ae012..cdfcddeded8cbe 100644 --- a/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs +++ b/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs @@ -460,8 +460,12 @@ private static bool GetTls11Support() if (IsWindows) { // TLS 1.1 and 1.2 can work on Windows7 but it is not enabled by default. - bool defaultProtocolSupport = !IsWindows7; - return GetProtocolSupportFromWindowsRegistry(SslProtocols.Tls11, defaultProtocolSupport); + if (IsWindows7) + { + return GetProtocolSupportFromWindowsRegistry(SslProtocols.Tls11, false, true); + } + + return GetProtocolSupportFromWindowsRegistry(SslProtocols.Tls11, true); } else if (IsOSXLike || IsAndroid) { diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamSystemDefaultsTest.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamSystemDefaultsTest.cs index 69ae4f6f4e26a9..d40bcf91483660 100644 --- a/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamSystemDefaultsTest.cs +++ b/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamSystemDefaultsTest.cs @@ -74,7 +74,6 @@ public static IEnumerable OneOrBothUseDefaulData() } } - [ActiveIssue("https://github.com/dotnet/runtime/issues/67712")] [ConditionalTheory] [MemberData(nameof(OneOrBothUseDefaulData))] public async Task ClientAndServer_OneOrBothUseDefault_Ok(SslProtocols? clientProtocols, SslProtocols? serverProtocols) From b26ec95433f5adbddf029571f4eefc5517687787 Mon Sep 17 00:00:00 2001 From: wfurt Date: Tue, 12 Apr 2022 22:24:01 -0700 Subject: [PATCH 3/3] feedback from review --- .../TestUtilities/System/PlatformDetection.cs | 22 +++++++++++-------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs b/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs index cdfcddeded8cbe..799a400f5fbfa6 100644 --- a/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs +++ b/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs @@ -441,14 +441,16 @@ private static bool AndroidGetSslProtocolSupport(SslProtocols protocol) private static bool GetTls10Support() { - // on Windows, macOS, and Android TLS1.0/1.1 are supported. + // on macOS and Android TLS 1.0 is supported. if (IsOSXLike || IsAndroid) { return true; } + + // Windows depend on registry, enabled by default on all supported versions. if (IsWindows) { - return GetProtocolSupportFromWindowsRegistry(SslProtocols.Tls, true); + return GetProtocolSupportFromWindowsRegistry(SslProtocols.Tls, defaultProtocolSupport: true); } return OpenSslGetTlsSupport(SslProtocols.Tls); @@ -456,17 +458,18 @@ private static bool GetTls10Support() private static bool GetTls11Support() { - // on Windows, macOS, and Android TLS1.0/1.1 are supported. if (IsWindows) { - // TLS 1.1 and 1.2 can work on Windows7 but it is not enabled by default. + // TLS 1.1 can work on Windows 7 but it is disabled by default. if (IsWindows7) { - return GetProtocolSupportFromWindowsRegistry(SslProtocols.Tls11, false, true); + return GetProtocolSupportFromWindowsRegistry(SslProtocols.Tls11, defaultProtocolSupport: false, disabledByDefault: true); } - return GetProtocolSupportFromWindowsRegistry(SslProtocols.Tls11, true); + // It is enabled on other versions unless explicitly disabled. + return GetProtocolSupportFromWindowsRegistry(SslProtocols.Tls11, defaultProtocolSupport: true); } + // on macOS and Android TLS 1.1 is supported. else if (IsOSXLike || IsAndroid) { return true; @@ -479,13 +482,14 @@ private static bool GetTls12Support() { if (IsWindows) { - // TLS 1.1 and 1.2 can work on Windows7 but it is not enabled by default. + // TLS 1.2 can work on Windows 7 but it is disabled by default. if (IsWindows7) { - return GetProtocolSupportFromWindowsRegistry(SslProtocols.Tls12, false, true); + return GetProtocolSupportFromWindowsRegistry(SslProtocols.Tls12, defaultProtocolSupport: false, disabledByDefault: true); } - return GetProtocolSupportFromWindowsRegistry(SslProtocols.Tls12, true); + // It is enabled on other versions unless explicitly disabled. + return GetProtocolSupportFromWindowsRegistry(SslProtocols.Tls12, defaultProtocolSupport: true); } return true;