From a06eedcbfc80c11b751d7cad20e3d9940b2bff67 Mon Sep 17 00:00:00 2001 From: Jens Geyer Date: Thu, 16 Nov 2023 23:23:04 +0100 Subject: [PATCH] THRIFT-5743 add TLS1.3 to default protocols where available Client: netstd Patch: Jens Geyer --- .../Transport/Client/TTlsSocketTransport.cs | 23 ++++++++++++++----- .../Server/TTlsServerSocketTransport.cs | 4 ++-- test/netstd/Client/TestClient.cs | 2 +- test/netstd/Server/TestServer.cs | 2 +- 4 files changed, 21 insertions(+), 10 deletions(-) diff --git a/lib/netstd/Thrift/Transport/Client/TTlsSocketTransport.cs b/lib/netstd/Thrift/Transport/Client/TTlsSocketTransport.cs index e3da6f4c264..bda12900798 100644 --- a/lib/netstd/Thrift/Transport/Client/TTlsSocketTransport.cs +++ b/lib/netstd/Thrift/Transport/Client/TTlsSocketTransport.cs @@ -16,6 +16,7 @@ // under the License. using System; +using System.Diagnostics; using System.Net; using System.Net.Security; using System.Net.Sockets; @@ -43,11 +44,19 @@ public class TTlsSocketTransport : TStreamTransport private SslStream _secureStream; private int _timeout; + #if NET7_0_OR_GREATER + public const SslProtocols DefaultSslProtocols = SslProtocols.Tls12 | SslProtocols.Tls13; + #else + public const SslProtocols DefaultSslProtocols = SslProtocols.Tls12; + #endif + + + public TTlsSocketTransport(TcpClient client, TConfiguration config, X509Certificate2 certificate, bool isServer = false, RemoteCertificateValidationCallback certValidator = null, LocalCertificateSelectionCallback localCertificateSelectionCallback = null, - SslProtocols sslProtocols = SslProtocols.Tls12) + SslProtocols sslProtocols = DefaultSslProtocols) : base(config) { _client = client; @@ -74,7 +83,7 @@ public TTlsSocketTransport(IPAddress host, int port, TConfiguration config, string certificatePath, RemoteCertificateValidationCallback certValidator = null, LocalCertificateSelectionCallback localCertificateSelectionCallback = null, - SslProtocols sslProtocols = SslProtocols.Tls12) + SslProtocols sslProtocols = DefaultSslProtocols) : this(host, port, config, 0, new X509Certificate2(certificatePath), certValidator, @@ -87,7 +96,7 @@ public TTlsSocketTransport(IPAddress host, int port, TConfiguration config, X509Certificate2 certificate = null, RemoteCertificateValidationCallback certValidator = null, LocalCertificateSelectionCallback localCertificateSelectionCallback = null, - SslProtocols sslProtocols = SslProtocols.Tls12) + SslProtocols sslProtocols = DefaultSslProtocols) : this(host, port, config, 0, certificate, certValidator, @@ -100,7 +109,7 @@ public TTlsSocketTransport(IPAddress host, int port, TConfiguration config, int X509Certificate2 certificate, RemoteCertificateValidationCallback certValidator = null, LocalCertificateSelectionCallback localCertificateSelectionCallback = null, - SslProtocols sslProtocols = SslProtocols.Tls12) + SslProtocols sslProtocols = DefaultSslProtocols) : base(config) { _host = host; @@ -118,7 +127,7 @@ public TTlsSocketTransport(string host, int port, TConfiguration config, int tim X509Certificate2 certificate, RemoteCertificateValidationCallback certValidator = null, LocalCertificateSelectionCallback localCertificateSelectionCallback = null, - SslProtocols sslProtocols = SslProtocols.Tls12) + SslProtocols sslProtocols = DefaultSslProtocols) : base(config) { try @@ -237,7 +246,7 @@ public async Task SetupTlsAsync() { // Client authentication var certs = _certificate != null - ? new X509CertificateCollection {_certificate} + ? new X509CertificateCollection { _certificate } : new X509CertificateCollection(); var targetHost = _targetHost ?? _host.ToString(); @@ -269,5 +278,7 @@ public override void Close() _secureStream = null; } } + + } } diff --git a/lib/netstd/Thrift/Transport/Server/TTlsServerSocketTransport.cs b/lib/netstd/Thrift/Transport/Server/TTlsServerSocketTransport.cs index 2b7f80cd167..0f72438e802 100644 --- a/lib/netstd/Thrift/Transport/Server/TTlsServerSocketTransport.cs +++ b/lib/netstd/Thrift/Transport/Server/TTlsServerSocketTransport.cs @@ -43,7 +43,7 @@ public TTlsServerSocketTransport( X509Certificate2 certificate, RemoteCertificateValidationCallback clientCertValidator = null, LocalCertificateSelectionCallback localCertificateSelectionCallback = null, - SslProtocols sslProtocols = SslProtocols.Tls12) + SslProtocols sslProtocols = TTlsSocketTransport.DefaultSslProtocols) : base(config) { if (!certificate.HasPrivateKey) @@ -65,7 +65,7 @@ public TTlsServerSocketTransport( X509Certificate2 certificate, RemoteCertificateValidationCallback clientCertValidator = null, LocalCertificateSelectionCallback localCertificateSelectionCallback = null, - SslProtocols sslProtocols = SslProtocols.Tls12) + SslProtocols sslProtocols = TTlsSocketTransport.DefaultSslProtocols) : this(null, config, certificate, clientCertValidator, localCertificateSelectionCallback, sslProtocols) { try diff --git a/test/netstd/Client/TestClient.cs b/test/netstd/Client/TestClient.cs index 183cfb43063..3bf2daaae48 100644 --- a/test/netstd/Client/TestClient.cs +++ b/test/netstd/Client/TestClient.cs @@ -257,7 +257,7 @@ public TTransport CreateTransport() trans = new TTlsSocketTransport(host, port, Configuration, 0, cert, (sender, certificate, chain, errors) => true, - null, SslProtocols.Tls12); + null); break; case TransportChoice.Socket: diff --git a/test/netstd/Server/TestServer.cs b/test/netstd/Server/TestServer.cs index fdbaa9718a4..a540d1919bf 100644 --- a/test/netstd/Server/TestServer.cs +++ b/test/netstd/Server/TestServer.cs @@ -606,7 +606,7 @@ public static async Task Execute(List args) trans = new TTlsServerSocketTransport(param.port, Configuration, cert, (sender, certificate, chain, errors) => true, - null, SslProtocols.Tls12); + null); break; case TransportChoice.Socket: