Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SslStream AuthenticateAsClient override with SslProtocols incorrectly says that the method authenticates with None #10671

Open
rob-beardsworth opened this issue Nov 11, 2024 · 4 comments
Open

SslStream AuthenticateAsClient override with SslProtocols incorrectly says that the method authenticates with None #10671

rob-beardsworth opened this issue Nov 11, 2024 · 4 comments
Labels
area-System.Net.Security Pri3 Indicates issues/PRs that are low priority untriaged New issue has not been triaged by the area owner

Comments

@rob-beardsworth
Copy link

Type of issue

Other (describe below)

Description

In the Remarks section of the SslStream.AuthenticateAsClient (last override - including the enabledSslProtocols parameter) there is the following:

Starting with .NET Framework 4.7, this method authenticates using None, which allows the operating system to choose the best protocol to use, and to block protocols that are not secure. In .NET Framework 4.6 (and .NET Framework 4.5 with the latest security patches installed), the allowed TLS/SSL protocols versions are 1.2, 1.1, and 1.0 (unless you disable strong cryptography by editing the Windows Registry).

This appears to be a cut and paste from the first 3 overrides which do NOT include the enabledSslProtocols parameter. The statement is incorrect in that this override authenticates using the value of the enabledSslProtocols - NOT the value SslProtocols.None.
[Enter feedback here]

Page URL

https://learn.microsoft.com/en-us/dotnet/api/system.net.security.sslstream.authenticateasclient?view=net-8.0

Content source URL

https://github.com/dotnet/dotnet-api-docs/blob/main/xml/System.Net.Security/SslStream.xml

Document Version Independent Id

539931f5-83fa-16f5-0f22-201c5fa3cc33

Article author

@karelz
@issues-automation issues-automation bot added the Pri3 Indicates issues/PRs that are low priority label Nov 11, 2024
@dotnet-issue-labeler dotnet-issue-labeler bot added the area-System.Security Issues related to security practices for .NET developers. label Nov 11, 2024
@dotnet-policy-service dotnet-policy-service bot added the untriaged New issue has not been triaged by the area owner label Nov 11, 2024
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones

@bartonjs bartonjs added area-System.Net.Security and removed area-System.Security Issues related to security practices for .NET developers. labels Nov 11, 2024
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Tagging subscribers to this area: @dotnet/ncl, @vcsjones

@ManickaP
Copy link
Member

This is the overload https://learn.microsoft.com/en-us/dotnet/api/system.net.security.sslstream.authenticateasclient?view=net-8.0#system-net-security-sslstream-authenticateasclient(system-string-system-security-cryptography-x509certificates-x509certificatecollection-system-security-authentication-sslprotocols-system-boolean)
It has the parameters to specify the SslProtocols so the default doesn't apply.

Also, I'd be nice to better specify the protocols and explicitly say its TLS (I know the version numbers do not overlap with SSL, but still) and probably mention TLS 1.3 is used when supported:

the allowed TLS/SSL protocols versions are 1.2, 1.1, and 1.0

the allowed TLS/SSL protocols versions are TLS 1.3 (when supported), 1.2, 1.1, and 1.0.

cc @wfurt @rzikm

@wfurt
Copy link
Member

wfurt commented Nov 12, 2024

we should delete the extra remarks. For example, the first overload with SslClientAuthenticationOptions is applicable only to .NET Core 5+ so references to Framework are irrelevant.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-System.Net.Security Pri3 Indicates issues/PRs that are low priority untriaged New issue has not been triaged by the area owner
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bartonjs @ManickaP @wfurt @rob-beardsworth