Upgrade .NET Framework 4.5 to add support for TLS 1.2

[kevingy]

I received this issue report via e-mail:

I found SimpleBrowser and followed the sample project navigating http://github.com. I want to be able to do a similar automation of a https website but cannot create the SSL/TLS channel. I have searched for the solution and tried much of what I found but am at the end of my ability. Does SimpleBrowser sork with https? Any direction you could provide would be most welcome.

After investigating the problem, the issue was that the site this person was attempting to access requires TLS 1.2, .NET Framework 4.0 (which is what SimpleBrowser and Visual Studio 2010 use) only supports SSL 3.0 and TLS 1.0. Therefore, SimpleBrowser only supports SSL 3.0 and TLS 1.0. SSL 3.0 and TLS 1.0 are both susceptible to the POODLE exploit. The only way to set the SecurityProtocolEnumeration value of Tls12 to ServicePointManager.SecurityProtocol is to upgrade to .NET Framework 4.5 or better. Since @Styxxy has already done the work to upgrade the project files to Visual Studio 2017, the target .NET Framework version for VS 2017 is 4.6.

[kevingy]

By default, .NET Framework 4.6 uses TLS 1.0, TLS 1.1, or TLS 1.2. After upgrading to .NET Framework 4.6, SimpleBrowser now uses the same default. This is the also same default as Google Chrome, which I have been using as the gold standard for SimpleBrowser comparison. (That is, in my view if Chrome does it, SimpleBrowser should do it the same way.) Google Chrome, however, allows the user to override the default and set the minimum TLS version. Since TLS 1.0 is also susceptible to the POODLE exploit, SimpleBrowser should also allow setting the allowed security protocols (set using the SecurityProtocolEnumeration values).

[kevingy]

@Teun Will this affect the WebDriver? Will WebDriver need to upgrade to .NET Framework 4.6 as well?

[Styxxy]

@kevingy
We can now target multiple platforms. You could add an additional target for net461 in the projects and nuget package.

[Teun]

I don't think so, in theory, I think the old 4.0 solution can use the 4.6 binaries, but I might spend a few hours on getting the WebDriver driver up to spec again and upgrade it anyway. Not supporting TLS 1.2 is really not OK anymore. Teun 2018-02-06 4:28 GMT+01:00 Kevin Yochum <[email protected]>:

…

@Teun <https://github.com/teun> Will this affect the WebDriver? Will WebDriver need to upgrade to .NET Framework 4.6 as well? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#198 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAeIT9nGJbw141JzmzEVEW7o4AGeJ04tks5tR8bygaJpZM4R6bp8> .

[kevingy]

@Styxxy

We can now target multiple platforms. You could add an additional target for net461 in the projects and nuget package.

We could do that. In my opinion, however, it's time to abandon .NET Framework 4.0. We never had a reason to do so before. Now, knowing that TLS 1.2 isn't supported in .NET Framework 4.0, we have a very good reason.

[kevingy]

@Teun

I think the old 4.0 solution can use the 4.6 binaries,

It can. The change would be to add this to the static Browser() constructor:

ServicePointManager.SecurityProtocol |= (SecurityProtocolType)3072;

3072 is the SecurityProtocolType enumeration value for SecurityProtocolType.Tls12 in .NET Framework 4.5 and higher. That line of code adds TLS 1.2 to the allowed protocols. If we wanted to match the .NET Framework 4.5 default, we would also have to remove SSL 3.0 support.

I considered doing just that, but it seemed like a hack with potential problems. If the SimpleBrowser consumer, or the user of an application consuming SimpleBrowser, has only .NET 4.0 installed (because that's what we have said is required), SimpleBrowser will either crash or not work.

I think it's better and cleaner to change the minimum requirement to a newer .NET Framework version. I think that to support the most people, we would go to 4.5 and not all the way to 4.7. Changing from 4.0 to 4.5 is really only one "dot upgrade". This also only moves us forward two years - from 2010 to 2012

Then, there's also the question of how all of this affects the Mono build.

[Styxxy]

@kevingy
Do you wish to keep a seperate mono build? The library targets netstandard2.0, which is supported in Mono 5.4+ (see also https://docs.microsoft.com/en-us/dotnet/standard/net-standard#net-implementation-support ).

[kevingy]

@Styxxy I'm just seeing your question. My e-mail probably sent the notification from GitHub to spam. Supporting a separate Mono build is probably still needed at least SimpleBrowser abandons .NET Framework. I don't know if that will ever happen. I don't want to end support for .NET Framework on Mono, especially without discussion with the other contributors and determining what the effects of that decision may be.

[Styxxy]

@kevingy Mono is still support; but of course you'll have to choose which versions you would still like to support. You can support mono 4.6+ when targetting .NET Standard 1.6 (but losing some degree of functionality) or mono 5.4+, which is already supported through .NET Standard 2.0.

[kevingy]

It looks like this is breaking the sample application. Github requires TLS 1.2. As a result the navigation to github.com, that forwards to https://github.com fails.

[rkbr]

I am hoping for a solution as soon as possible. Thank you.

[kevingy]

@rkbr Pull requests are welcomed.