Use TLS 1.2 for WebProxyRequests #3066
Conversation
|
I don't think you can just force 1.2 as this may be used for other web requests. I normally just put tls12, tls11, tls, ssl3 |
|
Which would you recommend supporting? |
|
@jtrinklein this Bootstrapper is .NET 4.5: https://github.com/fsprojects/Paket/blob/master/src/Paket.Bootstrapper/Paket.Bootstrapper.csproj I believe the default I would suggest turning on TLS1.2 while leaving defaults as-is by replacing your change with: @BlythMeister thoughts? |
| @@ -7,6 +7,7 @@ public class WebRequestProxy : IWebRequestProxy | |||
| { | |||
| public WebRequestProxy() | |||
| { | |||
| ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; | |||
There was a problem hiding this comment.
Suggestion to enable TLS1.2 while leaving other enabled security protocols untouched via:
ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12;
There was a problem hiding this comment.
I would say do this
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
| SecurityProtocolType.Tls11
| SecurityProtocolType.Tls
| SecurityProtocolType.Ssl3;
|
This file https://github.com/fsprojects/Paket/blob/master/src/Paket.Core/Common/Utils.fs has a service point update as I would expect this is in Paket itself, not bootstrapper. |
|
Also, in console apps you typically find this statement in the program.cs above the main function since it's an application wide directive it's logical to live with the main application. |
|
@BlythMeister that compiler if is avoiding setting It appears that So, I think Paket.Core is enabling TLS 1.2 (actually all 4 available protocols in the enum) for the full framework version of Paket. This is my first time jumping into the code, but I see some 'Paket.Core.preview3' stuff with latest commits indicating that there is a .NET Core Paket in the works, which I assume is why the compiler flag is there in the first place. The active (non-preview) Paket.core is .net 4.5 https://github.com/fsprojects/Paket/blob/master/src/Paket.Core/Paket.Core.fsproj, so the All that is to say, I think Paket.Core (main project) enables TLS 1.2 and it was forgotten / not done in the Bootstrapper. I think that enabling all 4 protocols as is done in Paket.core for the full .NET framework is the way to go here. |
|
Adding TLS 1.2 as a supported protocol is a reasonable workaround, but not a permanent fix. When TLS 1.3 (or some other protocol version) becomes available in the OS, you won't be able to make use of it without making a similar change again. The recommended fix is to target .NET 4.7. Then .NET gets out of the way and lets the OS decide what protocols should be available. Another workaround is to set a machine-wide registry key that tells .NET to get out of the way, and lets the OS decide. The problem with this, is that it may adversely impact other .NET apps on the machine that attempt to connect to TLS 1.0 servers that fail when trying to downgrade from a client requesting TLS 1.2. |
|
Looking forward to this - there are lots of failing paket bootstrappers out there now :) |
|
Going for a .net Framework upgrade could have other effects. |
|
As I understand above change will fix only bootstraper, so we propbably will have another bunch of problems with |
|
Please send pull requests. |
|
gist references should be ok, as https://github.com/fsprojects/Paket/blob/master/src/Paket.Core/Common/Utils.fs has the settings set. |
This fixes the issue caused by Github removing support for weak cryptographic standards. https://githubengineering.com/crypto-removal-notice/
Fixes issue #3065