From 4ff8086cfbe3b0793ec39cc8b79124e5f83d1f27 Mon Sep 17 00:00:00 2001 From: Jan Jahoda Date: Fri, 8 Oct 2021 11:16:14 +0200 Subject: [PATCH 1/4] CI matrix change: add Windows Server 2022 --- eng/pipelines/libraries/helix-queues-setup.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/eng/pipelines/libraries/helix-queues-setup.yml b/eng/pipelines/libraries/helix-queues-setup.yml index 5a82951839ff4a..36a602aaad0f89 100644 --- a/eng/pipelines/libraries/helix-queues-setup.yml +++ b/eng/pipelines/libraries/helix-queues-setup.yml @@ -128,6 +128,7 @@ jobs: - Windows.81.Amd64.Open - Windows.10.Amd64.ServerRS5.Open - Windows.10.Amd64.Server19H1.Open + - Windows.Amd64.Server2022.Open - ${{ if ne(parameters.jobParameters.runtimeFlavor, 'mono') }}: - (Windows.Nano.1809.Amd64.Open)windows.10.amd64.serverrs5.open@mcr.microsoft.com/dotnet-buildtools/prereqs:nanoserver-1809-helix-amd64-08e8e40-20200107182504 - (Windows.Server.Core.1909.Amd64.Open)windows.10.amd64.server20h1.open@mcr.microsoft.com/dotnet-buildtools/prereqs:windowsservercore-2004-helix-amd64-20200904200251-272704c From 21434c226d0fe805e8b4ac09e4201536cb09a12c Mon Sep 17 00:00:00 2001 From: Jan Jahoda Date: Mon, 18 Oct 2021 16:49:42 +0200 Subject: [PATCH 2/4] Add registry check for ssl3 - tls1.2 tests --- .../TestUtilities/System/PlatformDetection.cs | 94 +++++++++++-------- 1 file changed, 55 insertions(+), 39 deletions(-) diff --git a/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs b/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs index 77496e80d24c7c..fe40881fb4f8ea 100644 --- a/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs +++ b/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs @@ -333,34 +333,57 @@ private static bool GetIsInContainer() return (IsLinux && File.Exists("/.dockerenv")); } - private static bool GetSsl3Support() + private static bool GetProtocolSupportFormWindowsRegistry(SslProtocols protocol, bool defaultProtocolSupport) { - if (IsWindows) + string registryProtocolName = protocol switch { - string clientKey = @"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client"; - string serverKey = @"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server"; - - object client, server; - try - { - client = Registry.GetValue(clientKey, "Enabled", null); - server = Registry.GetValue(serverKey, "Enabled", null); - } - catch (SecurityException) - { - // Insufficient permission, assume that we don't have SSL3 (since we aren't exactly sure) - return false; - } - +#pragma warning disable CS0618 // Ssl2 and Ssl3 are obsolete + SslProtocols.Ssl3 => "SSL 3.0", +#pragma warning restore CS0618 + SslProtocols.Tls => "TLS 1.0", + SslProtocols.Tls11 => "TLS 1.1", + SslProtocols.Tls12 => "TLS 1.2", + SslProtocols.Tls13 => "TLS 1.3", + _ => throw new Exception($"Registry key not defined for {protocol}.") + }; + + string clientKey = @$"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{registryProtocolName}\Client"; + string serverKey = @$"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\{registryProtocolName}\Server"; + + object client, server; + try + { + client = Registry.GetValue(clientKey, "Enabled", defaultProtocolSupport ? 1 : 0); + server = Registry.GetValue(serverKey, "Enabled", defaultProtocolSupport ? 1 : 0); if (client is int c && server is int s) { return c == 1 && s == 1; } + } + catch (SecurityException) + { + // Insufficient permission, assume that we don't have protocol support (since we aren't exactly sure) + return false; + } + catch { } + + return defaultProtocolSupport; + } + + private static bool GetSsl3Support() + { + if (IsWindows) + { // Missing key. If we're pre-20H1 then assume SSL3 is enabled. // Otherwise, disabled. (See comments on https://github.com/dotnet/runtime/issues/1166) // Alternatively the returned values must have been some other types. - return !IsWindows10Version2004OrGreater; + bool ssl3DefaultSupport = !IsWindows10Version2004OrGreater; + +#pragma warning disable CS0618 // Ssl2 and Ssl3 are obsolete + return GetProtocolSupportFormWindowsRegistry(SslProtocols.Ssl3, ssl3DefaultSupport); +#pragma warning restore CS0618 + } return (IsOSX || (IsLinux && OpenSslVersion < new Version(1, 0, 2) && !IsDebian)); @@ -384,9 +407,13 @@ private static bool AndroidGetSslProtocolSupport(SslProtocols protocol) private static bool GetTls10Support() { // on Windows, macOS, and Android TLS1.0/1.1 are supported. - if (IsWindows || IsOSXLike || IsAndroid) + if (IsOSXLike || IsAndroid) { return true; + } + if (IsWindows) + { + return GetProtocolSupportFormWindowsRegistry(SslProtocols.Tls, true); } return OpenSslGetTlsSupport(SslProtocols.Tls); @@ -394,11 +421,12 @@ private static bool GetTls10Support() private static bool GetTls11Support() { - // on Windows, macOS, and Android TLS1.0/1.1 are supported. - // TLS 1.1 and 1.2 can work on Windows7 but it is not enabled by default. + // on Windows, macOS, and Android TLS1.0/1.1 are supported. if (IsWindows) { - return !IsWindows7; + // TLS 1.1 and 1.2 can work on Windows7 but it is not enabled by default. + bool defaultProtocolSupport = !IsWindows7; + return GetProtocolSupportFormWindowsRegistry(SslProtocols.Tls11, defaultProtocolSupport); } else if (IsOSXLike || IsAndroid) { @@ -411,7 +439,8 @@ private static bool GetTls11Support() private static bool GetTls12Support() { // TLS 1.1 and 1.2 can work on Windows7 but it is not enabled by default. - return !IsWindows7; + bool defaultProtocolSupport = !IsWindows7; + return GetProtocolSupportFormWindowsRegistry(SslProtocols.Tls12, defaultProtocolSupport); } private static bool GetTls13Support() @@ -422,25 +451,12 @@ private static bool GetTls13Support() { return false; } - - string clientKey = @"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client"; - string serverKey = @"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server"; - - object client, server; - try - { - client = Registry.GetValue(clientKey, "Enabled", null); - server = Registry.GetValue(serverKey, "Enabled", null); - if (client is int c && server is int s) - { - return c == 1 && s == 1; - } - } - catch { } // assume no if positive entry is missing on older Windows // Latest insider builds have TLS 1.3 enabled by default. // The build number is approximation. - return IsWindows10Version2004Build19573OrGreater; + bool defaultProtocolSupport = IsWindows10Version2004Build19573OrGreater; + + return GetProtocolSupportFormWindowsRegistry(SslProtocols.Tls13, defaultProtocolSupport); } else if (IsOSX || IsMacCatalyst || IsiOS || IstvOS) { From 5f92ecfc8747fb4a3ec7a6335d23b4b29a2bdc08 Mon Sep 17 00:00:00 2001 From: Jan Jahoda Date: Thu, 21 Oct 2021 15:28:19 +0200 Subject: [PATCH 3/4] Disable TLS1.3 on framework code --- .../Common/tests/TestUtilities/System/PlatformDetection.cs | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs b/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs index fe40881fb4f8ea..191814ecf4a996 100644 --- a/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs +++ b/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs @@ -343,7 +343,9 @@ private static bool GetProtocolSupportFormWindowsRegistry(SslProtocols protocol, SslProtocols.Tls => "TLS 1.0", SslProtocols.Tls11 => "TLS 1.1", SslProtocols.Tls12 => "TLS 1.2", +#if !NETFRAMEWORK SslProtocols.Tls13 => "TLS 1.3", +#endif _ => throw new Exception($"Registry key not defined for {protocol}.") }; @@ -456,7 +458,12 @@ private static bool GetTls13Support() // The build number is approximation. bool defaultProtocolSupport = IsWindows10Version2004Build19573OrGreater; +#if NETFRAMEWORK + return false; +#else return GetProtocolSupportFormWindowsRegistry(SslProtocols.Tls13, defaultProtocolSupport); +#endif + } else if (IsOSX || IsMacCatalyst || IsiOS || IstvOS) { From af9bbce6fb42e4932ccedca3c4623aaa4f757c8c Mon Sep 17 00:00:00 2001 From: Jan Jahoda Date: Thu, 25 Nov 2021 14:16:10 +0100 Subject: [PATCH 4/4] Fix typo --- .../tests/TestUtilities/System/PlatformDetection.cs | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs b/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs index befa542376fc01..48598ad4becd09 100644 --- a/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs +++ b/src/libraries/Common/tests/TestUtilities/System/PlatformDetection.cs @@ -333,7 +333,7 @@ private static bool GetIsInContainer() return (IsLinux && File.Exists("/.dockerenv")); } - private static bool GetProtocolSupportFormWindowsRegistry(SslProtocols protocol, bool defaultProtocolSupport) + private static bool GetProtocolSupportFromWindowsRegistry(SslProtocols protocol, bool defaultProtocolSupport) { string registryProtocolName = protocol switch { @@ -383,7 +383,7 @@ private static bool GetSsl3Support() bool ssl3DefaultSupport = !IsWindows10Version2004OrGreater; #pragma warning disable CS0618 // Ssl2 and Ssl3 are obsolete - return GetProtocolSupportFormWindowsRegistry(SslProtocols.Ssl3, ssl3DefaultSupport); + return GetProtocolSupportFromWindowsRegistry(SslProtocols.Ssl3, ssl3DefaultSupport); #pragma warning restore CS0618 } @@ -415,7 +415,7 @@ private static bool GetTls10Support() } if (IsWindows) { - return GetProtocolSupportFormWindowsRegistry(SslProtocols.Tls, true); + return GetProtocolSupportFromWindowsRegistry(SslProtocols.Tls, true); } return OpenSslGetTlsSupport(SslProtocols.Tls); @@ -428,7 +428,7 @@ private static bool GetTls11Support() { // TLS 1.1 and 1.2 can work on Windows7 but it is not enabled by default. bool defaultProtocolSupport = !IsWindows7; - return GetProtocolSupportFormWindowsRegistry(SslProtocols.Tls11, defaultProtocolSupport); + return GetProtocolSupportFromWindowsRegistry(SslProtocols.Tls11, defaultProtocolSupport); } else if (IsOSXLike || IsAndroid) { @@ -442,7 +442,7 @@ private static bool GetTls12Support() { // TLS 1.1 and 1.2 can work on Windows7 but it is not enabled by default. bool defaultProtocolSupport = !IsWindows7; - return GetProtocolSupportFormWindowsRegistry(SslProtocols.Tls12, defaultProtocolSupport); + return GetProtocolSupportFromWindowsRegistry(SslProtocols.Tls12, defaultProtocolSupport); } private static bool GetTls13Support() @@ -461,7 +461,7 @@ private static bool GetTls13Support() #if NETFRAMEWORK return false; #else - return GetProtocolSupportFormWindowsRegistry(SslProtocols.Tls13, defaultProtocolSupport); + return GetProtocolSupportFromWindowsRegistry(SslProtocols.Tls13, defaultProtocolSupport); #endif }