Added TLS 1.1 and TLS 1.2 Support

[tombmedia]

Hi Dan, I had to update the support for TLS 1.1 and 1.2 for our use with one of my clients. Thought I would create a PR to integrate into the main branch.

[DanDiplo]

Hi! Thanks for the contribution.

What OS where you running on that you needed to add this option, as it's my understanding that the .NET framework by default choses the highest version supported by the OS - so it's only on old instances of Windows that it's necessary to add this (I remember having to do it on a Windows 2008 server).

So I'm not sure I will merge this in, as I believe it could limit what versions of TLS are used when TLS1.3 is common. See: https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls

Any thoughts?

[tombmedia]

I’m at the government of alberta and we’re using server 2016. However we use an appliance called Big-IP for load balancing as well as https provisioning (we don’t actually install certs on the boxes) and that’s where we encounter issues. Since Umbraco has a target framework of 4.5, even though we use .Net 4.7 umbraco doesn’t automatically upgrade our tls requests when using things like the httpclient (we’re using mainly Umbraco 7.4 – 7.6 at the moment) and so our requests have been failing now that the organization has forced tls 1.2 upon us (through bigip). Which was an easy fix by adding the same code I added to your solution but didn’t work for your package as it’s a separate assembly. And the businesses have been getting tls errors with the tool since the switch to tls1.2. I suppose I could have used the appContext switches in that article to force the latest version of tls, but since it’s a compound assignment bitwise operator its only adding to the existing set of flags on the servicepointmanager, not overriding or replacing the flags. Adding them if they do not exist, I also didn’t want to create issues with tls1.3 or targeting a newer version of the framework in case we upgraded our Umbraco instances. If the servicepointmanager already has those flags set (and more) it won’t do anything that affects those. (|= vs =) I searched around but couldn’t find anyone else that encountered this error with your package so we must be an edge case. Let me see if I can reproduce the error, I should be able to use IIS Crypto to disable everything but tls1.2 on one of my own sites and see if I get the same behavior. I’m pretty sure the majority of people just leave those old protocols on. As we’re government we get a little weird about security. From: Dan Booth <[email protected]> Sent: Friday, January 31, 2020 1:41 AM To: DanDiplo/Diplo.LinkChecker <[email protected]> Cc: Richard Bolianatz <[email protected]>; Author <[email protected]> Subject: Re: [DanDiplo/Diplo.LinkChecker] Added TLS 1.1 and TLS 1.2 Support (#10) Hi! Thanks for the contribution. What OS where you running on that you needed to add this option, as it's my understanding that the .NET framework by default choses the highest version supported by the OS - so it's only on old instances of Windows that it's necessary to add this (I remember having to do it on a Windows 2008 server). So I'm not sure I will merge this in, as I believe it could limit what versions of TLS are used when TLS1.3 is common. See: https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls Any thoughts? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#10?email_source=notifications&email_token=AAV7QDDU5MC3NV2GL2Z4D3DRAPPZDA5CNFSM4KN3BQO2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKN5VUI#issuecomment-580639441>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAV7QDACKKNCPLCF6X6A2V3RAPPZDANCNFSM4KN3BQOQ>.

[DanDiplo]

Hi there in Alberta! You may be right that TLS is also tied to NET Framework. I know on our previous Windows 2008 server with NET 4.5.2 we sometimes had these TLS issues, but since moving to 2016 and NET 4.7.2 we haven't.

I guess one way around the issue would be to make this a configuration value. There is a JSON config file that the site uses, so I guess this could have a flag whether to enable/disable specific TLS versions?

[tombmedia]

That’s actually a great idea. Don’t know if you need to go so specific as to versions of TLS, could be something like “Enable TLS 1.1/1.2” From: Dan Booth <[email protected]> Sent: Friday, January 31, 2020 6:59 AM To: DanDiplo/Diplo.LinkChecker <[email protected]> Cc: Richard Bolianatz <[email protected]>; Author <[email protected]> Subject: Re: [DanDiplo/Diplo.LinkChecker] Added TLS 1.1 and TLS 1.2 Support (#10) Hi there in Alberta! You may be right that TLS is also tied to NET Framework. I know on our previous Windows 2008 server with NET 4.5.2 we sometimes had these TLS issues, but since moving to 2016 and NET 4.7.2 we haven't. I guess one way around the issue would be to make this a configuration value. There is a JSON config file<https://github.com/DanDiplo/Diplo.LinkChecker/blob/master/Diplo.LinkChecker/App_Plugins/Diplo.LinkChecker/config.js> that the site uses, so I guess this could have a flag whether to enable/disable specific TLS versions? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#10?email_source=notifications&email_token=AAV7QDAD6KTKMQIQZBOZ6GTRAQVCTA5CNFSM4KN3BQO2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKOXFRA#issuecomment-580743876>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAV7QDEMZZ6Y5IQLM7ABHLDRAQVCTANCNFSM4KN3BQOQ>.