Check the default TLS algorithms between a net461 client and a Core server.

[javiercn]

From https://github.com/aspnet/MetaPackages/pull/251

Some tests started failing only on net461 with an algorithm conflict. We need to check the default TLS algorithms between a net461 HttpClient and a Core server.

@Tratcher is this accurate?

[Tratcher]

Yes. The tests were showing Kestrel and HttpClient using different defaults for TLS algorithms/versions and failing to connect. We need to check the matrix of client, server, net461, netcoreapp2.0, and netcoreapp2.1.

[javiercn]

@Tratcher Is this because Kestrel is using TLS1.2 and .net461 doesn't support it? Is this a matter of setting ServicePointManager.SecurityProtocol to TLS1.2.

What was the exact mismatch, is there anything else that can be configured? Should we do anything at all or just tell full framework clients on net461 (which is btw, unsupported) to set it to TLS1.2 or to upgrade to a newer (and supported) version of the framework, like 462 or 4.7

[Tratcher]

The error did not specify what the mismatch was. I'm debugging it now.

[Tratcher]

Ok, yes this is an issue with the ServicePointManager.SecurityProtocol default as expected. For net461 it still defaults to SecurityProtocolType.Tls | SecurityProtocolType.Ssl3 (Kestrel's defaults are SslProtocols.Tls12 | SslProtocols.Tls11). The client's defaults were changed in 4.7 https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/retargeting/4.6.2-4.7#networking

So the net461 client and server defaults are incompatible. @blowdart This looks like an adoption blocker.

Workaround: change the client or server value.

[javiercn]

Is this only for 461 or does it also affect 462. If it’s only 461 I don’t think this is a blocker as 461 is not a supported release. @eilon can confirm. The workaround is to tell customers to change the client. The defaults on the server should be the most current and secure IMO

[blowdart]

You need to change the client. Not the server. Obviously.

[javiercn]

I think we can close this as by design and provide guidance on docs. We should file an issue on the docs repo and fill in some details for when the writers get to write docs for 2.1 @Tratcher I leave it up to you.

[Tratcher]

Everything before 4.7 is affected.

[Tratcher]

Calling out HttpClient 4.6 in the Kestrel docs seems a bit out of place. Note this is not a new problem, it's been this way since 1.0.0-rc2. https://github.com/aspnet/KestrelHttpServer/issues/637. I don't see any complaints about this in the Kestrel repo or StackOverflow. I'm going to close this for now and we can react if we get additional feedback.

[javiercn]

@Tratcher Works for me