Upgrade .NET Framework 4.5 to add support for TLS 1.2
kevingy opened this issue · 12 comments
I received this issue report via e-mail:
I found SimpleBrowser and followed the sample project navigating http://github.com. I want to be able to do a similar automation of a https website but cannot create the SSL/TLS channel. I have searched for the solution and tried much of what I found but am at the end of my ability. Does SimpleBrowser sork with https? Any direction you could provide would be most welcome.
After investigating the problem, the issue was that the site this person was attempting to access requires TLS 1.2, .NET Framework 4.0 (which is what SimpleBrowser and Visual Studio 2010 use) only supports SSL 3.0 and TLS 1.0. Therefore, SimpleBrowser only supports SSL 3.0 and TLS 1.0. SSL 3.0 and TLS 1.0 are both susceptible to the POODLE exploit. The only way to set the SecurityProtocolEnumeration value of Tls12 to ServicePointManager.SecurityProtocol is to upgrade to .NET Framework 4.5 or better. Since @Styxxy has already done the work to upgrade the project files to Visual Studio 2017, the target .NET Framework version for VS 2017 is 4.6.
By default, .NET Framework 4.6 uses TLS 1.0, TLS 1.1, or TLS 1.2. After upgrading to .NET Framework 4.6, SimpleBrowser now uses the same default. This is the also same default as Google Chrome, which I have been using as the gold standard for SimpleBrowser comparison. (That is, in my view if Chrome does it, SimpleBrowser should do it the same way.) Google Chrome, however, allows the user to override the default and set the minimum TLS version. Since TLS 1.0 is also susceptible to the POODLE exploit, SimpleBrowser should also allow setting the allowed security protocols (set using the SecurityProtocolEnumeration values).
@Teun Will this affect the WebDriver? Will WebDriver need to upgrade to .NET Framework 4.6 as well?
@kevingy
We can now target multiple platforms. You could add an additional target for net461 in the projects and nuget package.
We can now target multiple platforms. You could add an additional target for net461 in the projects and nuget package.
We could do that. In my opinion, however, it's time to abandon .NET Framework 4.0. We never had a reason to do so before. Now, knowing that TLS 1.2 isn't supported in .NET Framework 4.0, we have a very good reason.
I think the old 4.0 solution can use the 4.6 binaries,
It can. The change would be to add this to the static Browser() constructor:
ServicePointManager.SecurityProtocol |= (SecurityProtocolType)3072;
3072 is the SecurityProtocolType enumeration value for SecurityProtocolType.Tls12 in .NET Framework 4.5 and higher. That line of code adds TLS 1.2 to the allowed protocols. If we wanted to match the .NET Framework 4.5 default, we would also have to remove SSL 3.0 support.
I considered doing just that, but it seemed like a hack with potential problems. If the SimpleBrowser consumer, or the user of an application consuming SimpleBrowser, has only .NET 4.0 installed (because that's what we have said is required), SimpleBrowser will either crash or not work.
I think it's better and cleaner to change the minimum requirement to a newer .NET Framework version. I think that to support the most people, we would go to 4.5 and not all the way to 4.7. Changing from 4.0 to 4.5 is really only one "dot upgrade". This also only moves us forward two years - from 2010 to 2012
Then, there's also the question of how all of this affects the Mono build.
@kevingy
Do you wish to keep a seperate mono build? The library targets netstandard2.0, which is supported in Mono 5.4+ (see also https://docs.microsoft.com/en-us/dotnet/standard/net-standard#net-implementation-support ).
@Styxxy I'm just seeing your question. My e-mail probably sent the notification from GitHub to spam. Supporting a separate Mono build is probably still needed at least SimpleBrowser abandons .NET Framework. I don't know if that will ever happen. I don't want to end support for .NET Framework on Mono, especially without discussion with the other contributors and determining what the effects of that decision may be.
@kevingy Mono is still support; but of course you'll have to choose which versions you would still like to support. You can support mono 4.6+ when targetting .NET Standard 1.6 (but losing some degree of functionality) or mono 5.4+, which is already supported through .NET Standard 2.0.
It looks like this is breaking the sample application. Github requires TLS 1.2. As a result the navigation to github.com, that forwards to https://github.com fails.
I am hoping for a solution as soon as possible. Thank you.