Fix TLS connection issues

[franc6]

Enabled only TLS 1.1 and TLS 1.2.

Original issue: By default, only SSL 3.0 and TLS 1.0 are enabled for connections by .NET 4.5.x. Since most servers now reject SSL 3.0 connections, and very few use TLS 1.0, ketarin fails to download from several sites. Change code to enable only TLS 1.1 and TLS 1.2. TLS 1.1 should still be enabled, since it seems to still be in wide use, even though, it, too, is relatively unsafe. This should be re-visited at a later point, and only TLS 1.2 (and TLS 1.3 if it's implemented) should be enabled.

[floele]

@franc6 Why is this change necessary? In DoDownload(), Ketarin already uses those default protocols (TLS included, SSL3 excluded). Is this change only about TLS1? Or do you have a situation where you need to change the defaults earlier during lifetime of the application?

[franc6]

I didn't see the code in Updater.cs, or I would have made the modification there. It's odd, because I was looking for exactly that. Anyway, it was reported to me that several software updates could not be downloaded, based on who was hosting the software. A little research showed main issue was that TLS 1.0 was enabled. The user reported that everything that previously failed worked after the change. Although I must admit I'm confused by that -- I would expect it to continue to fail. I'll get with the user to verify what exactly failed, and test with just changing Updater.cs. I think that would be more appropriate, but I want to run the code myself. It might also be better to explicitly disable older protocols, rather than explicitly enabling only TLS 1.1 and 1.2.

[floele]

@franc6 I noticed an issue myself (fixed in 603875c6501a75ac2d817e50d7987b7352be3b1a): You can get an error if you try creating variables from websites not allowing SSL3 before updating an application because this way the default protocols will not be set correctly yet. I'm now also setting the protocols during startup of the app.

[franc6]

Sorry, I didn't hear back from the user until Friday, and I was pre-occupied with some other stuff. It looks like that was the main issue. Although I'd strongly recommend disabling TLS 1.0, too -- those wishing to be PCI compliant must disable it, and the most common attacks against it have to be mitigated in both client and server. If you are aware of any major servers which only support TLS 1.0, it's past time to name them and convince them to upgrade. It's certainly not a good idea to trust software updates downloaded from such sites. I'd feel better disabling TLS 1.1, too, but my understanding is that it's still too common to see no TLS 1.2 support. :(

Anyway, given your change, this particular pull request no longer makes sense. I'm closing it.

[floele]

If you are aware of any major servers which only support TLS 1.0, it's past time to name them and convince them to upgrade

This is a difficult issue since TLS 1 is not the only problem. Ketarin by default pretty much does not care about security anyway (ignores certificate validation) because there already have been issues with improperly configured servers preventing Ketarin from downloading. At some point there should be decided how to balance security vs. making it just work.