(chocolatey#2902) ReplaceTLS/HTTPS handling code

After speaking with the team and reviewing .NET's best practices documentation on this, this is the solution we've come to. Being overly specific about TLS versions has its downsides so it's better to leave it to the OS. I also replaced the class that handles it with one that has a more descriptive name and properly made it a static class.
vexx32 · Apr 18, 2023 · 17bf150 · 17bf150
1 parent ced3b70
commit 17bf150
Show file tree

Hide file tree

Showing 5 changed files with 71 additions and 56 deletions.
diff --git a/src/chocolatey/chocolatey.csproj b/src/chocolatey/chocolatey.csproj
@@ -272,6 +272,7 @@
     <Compile Include="infrastructure\logging\LogMessage.cs" />
     <Compile Include="infrastructure\logging\LogSinkLog.cs" />
     <Compile Include="infrastructure\registration\AssemblyResolution.cs" />
+    <Compile Include="infrastructure\registration\HttpsSecurity.cs" />
     <Compile Include="infrastructure\rules\IMetadataRule.cs" />
     <Compile Include="infrastructure\rules\RuleResult.cs" />
     <Compile Include="infrastructure\rules\RuleType.cs" />

diff --git a/src/chocolatey/infrastructure.app/runners/GenericRunner.cs b/src/chocolatey/infrastructure.app/runners/GenericRunner.cs
@@ -146,7 +146,7 @@ public void Run(ChocolateyConfiguration config, Container container, bool isCons
             }
 
             FailOnMissingOrInvalidLicenseIfFeatureSet(config);
-            SecurityProtocol.SetProtocol(provideWarning: true);
+            HttpsSecurity.Reset();
             EventManager.Publish(new PreRunMessage(config));
 
             try
@@ -230,7 +230,7 @@ public IEnumerable<T> List<T>(ChocolateyConfiguration config, Container containe
             }
 
             FailOnMissingOrInvalidLicenseIfFeatureSet(config);
-            SecurityProtocol.SetProtocol(provideWarning: true);
+            HttpsSecurity.Reset();
             EventManager.Publish(new PreRunMessage(config));
 
             try
@@ -266,7 +266,7 @@ public IEnumerable<T> List<T>(ChocolateyConfiguration config, Container containe
         public int Count(ChocolateyConfiguration config, Container container, bool isConsole, Action<ICommand> parseArgs)
         {
             FailOnMissingOrInvalidLicenseIfFeatureSet(config);
-            SecurityProtocol.SetProtocol(provideWarning: true);
+            HttpsSecurity.Reset();
 
             var command = FindCommand(config, container, isConsole, parseArgs) as IListCommand;
             if (command == null)

diff --git a/src/chocolatey/infrastructure.app/services/PowershellService.cs b/src/chocolatey/infrastructure.app/services/PowershellService.cs
@@ -345,6 +345,7 @@ public bool RunAction(ChocolateyConfiguration configuration, PackageResult packa
                     if (configuration.Features.UsePowerShellHost)
                     {
                         RemoveAssemblyResolver();
+                        HttpsSecurity.Reset();
                     }
 
                     if (result.StandardErrorWritten && configuration.Features.FailOnStandardError)
@@ -540,7 +541,7 @@ public void PreparePowerShellEnvironment(IPackageSearchMetadata package, Chocola
                 }
             }
 
-            SecurityProtocol.SetProtocol(provideWarning: false);
+            HttpsSecurity.Reset();
         }
 
         private ResolveEventHandler _handler = null;

diff --git a/src/chocolatey/infrastructure/registration/HttpsSecurity.cs b/src/chocolatey/infrastructure/registration/HttpsSecurity.cs
@@ -0,0 +1,63 @@
+namespace chocolatey.infrastructure.registration
+{
+    using System;
+    using System.Collections.Generic;
+    using System.Linq;
+    using System.Net;
+    using System.Text;
+    using System.Threading.Tasks;
+
+    internal static class HttpsSecurity
+    {
+        /// <summary>
+        /// Resets the <see cref="ServicePointManager.SecurityProtocol"/> and <see cref="ServicePointManager.ServerCertificateValidationCallback"/> for HTTPS connections
+        /// in order to ensure that PowerShell scripts we run can't have a persistent effect on these settings across the whole process after they're done running.
+        /// </summary>
+        internal static void Reset()
+        {
+            // SystemDefault is used because:
+            // 1. Most supported operating systems default to / require TLS 1.2 anyway.
+            // 2. Explicitly *enabling* any less secure protocols leaves us open to TLS downgrade attacks.
+            //    https://en.wikipedia.org/wiki/Downgrade_attack
+            // 3. Always *requiring* TLS 1.2 or higher on any OS version may cause issues with some folks' internal
+            //    networks which may have older infrastructure that doesn't support it, and they won't have a way
+            //    to make Chocolately CLI work with that infrastructure if we're forcing a TLS version they can't
+            //    support.
+            // 4. Thus, the only sensible solution (since we don't want to add a configuration value for this) is
+            //    to take the OS-level setting and use that, because if folks set their system up to use certain
+            //    TLS versions, we should probably follow suit, regardless of what their OS version may be.
+            //
+            // See https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls for more information
+            // and best practices recommendation from the .NET team.
+            if (ServicePointManager.SecurityProtocol != SecurityProtocolType.SystemDefault)
+            {
+                "chocolatey".Log().Warn(
+                    "{0} was set to {1}, resetting to SystemDefault.",
+                    nameof(ServicePointManager.SecurityProtocol),
+                    ServicePointManager.SecurityProtocol);
+
+                ServicePointManager.SecurityProtocol = SecurityProtocolType.SystemDefault;
+            }
+
+            try
+            {
+                // We reset this to ensure that if a package overrides this callback during its script runs, it doesn't affect the rest of
+                // the actions we need to take for the duration of this process (other packages we're installing, etc.) Setting this to
+                // null restores the default behaviour of certificate validation instead of whatever custom behaviour has been injected.
+                if (ServicePointManager.ServerCertificateValidationCallback != null)
+                {
+                    "chocolatey".Log().Warn(
+                        "{0} was set to '{1}' Removing.",
+                        nameof(ServicePointManager.ServerCertificateValidationCallback),
+                        ServicePointManager.ServerCertificateValidationCallback);
+
+                    ServicePointManager.ServerCertificateValidationCallback = null;
+                }
+            }
+            catch (Exception ex)
+            {
+                "chocolatey".Log().Warn("Error resetting ServerCertificateValidationCallback: {0}".FormatWith(ex.Message));
+            }
+        }
+    }
+}
diff --git a/src/chocolatey/infrastructure/registration/SecurityProtocol.cs b/src/chocolatey/infrastructure/registration/SecurityProtocol.cs
@@ -21,62 +21,12 @@ namespace chocolatey.infrastructure.registration
     using app.configuration;
     using logging;
 
+    [Obsolete("This type is deprecated and will be removed in v3.")]
     public sealed class SecurityProtocol
     {
-        private const int Tls11 = 768;
-        private const int Tls12 = 3072;
-
-        public static void SetProtocol(bool provideWarning)
-        {
-            try
-            {
-                // TODO: Streamline this method now that we are building against .NET 4.8
-
-                // We can't address the protocols directly when built with .NET
-                // Framework 4.0. However if someone is running .NET 4.5 or
-                // greater, they have in-place upgrades for System.dll, which
-                // will allow us to set these protocols directly.
-                const SecurityProtocolType tls11 = (SecurityProtocolType)Tls11;
-                const SecurityProtocolType tls12 = (SecurityProtocolType)Tls12;
-                ServicePointManager.SecurityProtocol = tls12 | tls11 | SecurityProtocolType.Tls | SecurityProtocolType.Ssl3;
-            }
-            catch (Exception)
-            {
-                ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Ssl3;
-                //todo: #2585 provide this warning with the ability to opt out of seeing it again so we can move it up to more prominent visibility and not just the verbose log
-                if (provideWarning)
-                {
-                "chocolatey".Log().Warn(ChocolateyLoggers.Verbose,
-@" !!WARNING!!
-Choco prefers to use TLS v1.2 if it is available, but this client is
- running on .NET 4.0, which uses an older SSL. It's using TLS 1.0 or
- earlier, which makes it susceptible to BEAST and also doesn't
- implement the 1/n-1 record splitting mitigation for Cipher-Block
- Chaining. Upgrade to at least .NET 4.5 at your earliest convenience.
-
- For more information you should visit https://www.howsmyssl.com/");
-                }
-            }
-
-            try
-            {
-                if (ServicePointManager.ServerCertificateValidationCallback != null)
-                {
-                    "chocolatey".Log().Warn("ServerCertificateValidationCallback was set to '{0}' Removing.".FormatWith(System.Net.ServicePointManager.ServerCertificateValidationCallback));
-                    ServicePointManager.ServerCertificateValidationCallback = null;
-                }
-            }
-            catch (Exception ex)
-            {
-                "chocolatey".Log().Warn("Error resetting ServerCertificateValidationCallback: {0}".FormatWith(ex.Message));
-            }
-        }
-
-
 #pragma warning disable IDE1006
-        [Obsolete("This overload is deprecated and will be removed in v3.")]
         public static void set_protocol(ChocolateyConfiguration config, bool provideWarning)
-            => SetProtocol(provideWarning);
+            => HttpsSecurity.Reset();
 #pragma warning restore IDE1006
     }
 }