From a50f94e8ff54cf0dcadbff250516e55833fcb3e5 Mon Sep 17 00:00:00 2001
From: Stephen Halter <halter73@gmail.com>
Date: Thu, 4 Jun 2020 16:44:27 -0700
Subject: [PATCH] Use default SslProtocols in Kestrel (#22437)

---
 src/Servers/Kestrel/Core/src/CoreStrings.resx                | 3 +++
 .../Kestrel/Core/src/HttpsConnectionAdapterOptions.cs        | 4 ++--
 .../Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs | 2 ++
 .../HttpsConnectionMiddlewareTests.cs                        | 3 ++-
 .../Kestrel/test/InMemory.FunctionalTests/HttpsTests.cs      | 5 ++++-
 5 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/Servers/Kestrel/Core/src/CoreStrings.resx b/src/Servers/Kestrel/Core/src/CoreStrings.resx
index 1d270be8ee..7f9e97c266 100644
--- a/src/Servers/Kestrel/Core/src/CoreStrings.resx
+++ b/src/Servers/Kestrel/Core/src/CoreStrings.resx
@@ -602,4 +602,7 @@ For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?l
   <data name="GreaterThanOrEqualToZeroRequired" xml:space="preserve">
     <value>A value greater than or equal to zero is required.</value>
   </data>
+  <data name="HttpsConnectionEstablished" xml:space="preserve">
+    <value>Connection "{connectionId}" established using the following protocol: {protocol}</value>
+  </data>
 </root>
\ No newline at end of file
diff --git a/src/Servers/Kestrel/Core/src/HttpsConnectionAdapterOptions.cs b/src/Servers/Kestrel/Core/src/HttpsConnectionAdapterOptions.cs
index 92e80cc8d0..d801316b5f 100644
--- a/src/Servers/Kestrel/Core/src/HttpsConnectionAdapterOptions.cs
+++ b/src/Servers/Kestrel/Core/src/HttpsConnectionAdapterOptions.cs
@@ -24,7 +24,6 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Https
         public HttpsConnectionAdapterOptions()
         {
             ClientCertificateMode = ClientCertificateMode.NoCertificate;
-            SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11;
             HandshakeTimeout = TimeSpan.FromSeconds(10);
         }
 
@@ -61,7 +60,8 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Https
         public Func<X509Certificate2, X509Chain, SslPolicyErrors, bool> ClientCertificateValidation { get; set; }
 
         /// <summary>
-        /// Specifies allowable SSL protocols. Defaults to <see cref="SslProtocols.Tls12" /> and <see cref="SslProtocols.Tls11"/>.
+        /// Specifies allowable SSL protocols. Defaults to <see cref="SslProtocols.None" /> which allows the operating system to choose the best protocol to use,
+        /// and to block protocols that are not secure. Unless your app has a specific reason not to, you should use this default.
         /// </summary>
         public SslProtocols SslProtocols { get; set; }
 
diff --git a/src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs b/src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs
index eef77ef823..473579f210 100644
--- a/src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs
+++ b/src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs
@@ -252,6 +252,8 @@ namespace Microsoft.AspNetCore.Server.Kestrel.Https.Internal
 
             KestrelEventSource.Log.TlsHandshakeStop(context, feature);
 
+            _logger.LogDebug(3, CoreStrings.HttpsConnectionEstablished, context.ConnectionId, sslStream.SslProtocol);
+
             var originalTransport = context.Transport;
 
             try
diff --git a/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsConnectionMiddlewareTests.cs b/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsConnectionMiddlewareTests.cs
index 43e557734e..b32d151a99 100644
--- a/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsConnectionMiddlewareTests.cs
+++ b/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsConnectionMiddlewareTests.cs
@@ -362,12 +362,13 @@ namespace Microsoft.AspNetCore.Server.Kestrel.InMemory.FunctionalTests
         }
 
         [Fact]
-        public async Task DoesNotSupportTls10()
+        public async Task Tls10CanBeDisabled()
         {
             void ConfigureListenOptions(ListenOptions listenOptions)
             {
                 listenOptions.UseHttps(options =>
                 {
+                    options.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11;
                     options.ServerCertificate = _x509Certificate2;
                     options.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
                     options.AllowAnyClientCertificate();
diff --git a/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsTests.cs b/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsTests.cs
index 17b5cae1e1..f587f0956d 100644
--- a/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsTests.cs
+++ b/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsTests.cs
@@ -366,7 +366,10 @@ namespace Microsoft.AspNetCore.Server.Kestrel.InMemory.FunctionalTests
                 new TestServiceContext(LoggerFactory),
                 listenOptions =>
                 {
-                    listenOptions.UseHttps(TestResources.GetTestCertificate("no_extensions.pfx"));
+                    listenOptions.UseHttps(TestResources.GetTestCertificate("no_extensions.pfx"), httpsOptions =>
+                    {
+                        httpsOptions.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11;
+                    });
                 }))
             {
                 using (var connection = server.CreateConnection())