Do not set SslProtocols and log ClientHello on the server.

Author: ManickaP

src/libraries/Common/tests/System/Net/Http/Http2LoopbackConnection.cs

@@ -62,19 +62,23 @@ public static async Task<Http2LoopbackConnection> CreateAsync(SocketWrapper sock
                 using (X509Certificate2 cert = httpOptions.Certificate ?? Configuration.Certificates.GetServerCertificate())
                 {
 #if !NETFRAMEWORK
-                    SslServerAuthenticationOptions options = new SslServerAuthenticationOptions();
+                    await sslStream.AuthenticateAsServerAsync((SslStream stream, SslClientHelloInfo clientHelloInfo, object? state, CancellationToken cancellationToken) =>
+                    {
+                        Console.WriteLine($"SSL protocols: {clientHelloInfo.SslProtocols}");
 
-                    options.EnabledSslProtocols = httpOptions.SslProtocols;
+                        SslServerAuthenticationOptions options = new SslServerAuthenticationOptions();
 
-                    var protocols = new List<SslApplicationProtocol>();
-                    protocols.Add(SslApplicationProtocol.Http2);
-                    options.ApplicationProtocols = protocols;
+                        options.EnabledSslProtocols = httpOptions.SslProtocols;
 
-                    options.ServerCertificate = cert;
+                        var protocols = new List<SslApplicationProtocol>();
+                        protocols.Add(SslApplicationProtocol.Http2);
+                        options.ApplicationProtocols = protocols;
 
-                    options.ClientCertificateRequired = httpOptions.ClientCertificateRequired;
+                        options.ServerCertificate = cert;
 
-                    await sslStream.AuthenticateAsServerAsync(options, CancellationToken.None).ConfigureAwait(false);
+                        options.ClientCertificateRequired = httpOptions.ClientCertificateRequired;
+                        return ValueTask.FromResult(options);
+                    }, null, CancellationToken.None).ConfigureAwait(false);
 #else
                     await sslStream.AuthenticateAsServerAsync(cert, httpOptions.ClientCertificateRequired, httpOptions.SslProtocols, checkCertificateRevocation: false).ConfigureAwait(false);
 #endif

src/libraries/Common/tests/System/Net/Http/Http3LoopbackServer.cs

@@ -7,6 +7,7 @@
 using System.Net.Quic;
 using System.Net.Security;
 using System.Security.Cryptography.X509Certificates;
+using System.Threading;
 using System.Threading.Tasks;
 
 namespace System.Net.Test.Common
@@ -31,8 +32,10 @@ public Http3LoopbackServer(Http3Options options = null)
                 {
                     new SslApplicationProtocol(options.Alpn)
                 },
-                ConnectionOptionsCallback = (_, _, _) =>
+                ConnectionOptionsCallback = (QuicConnection quicConnection, SslClientHelloInfo clientHelloInfo, CancellationToken cancellationToken) =>
                 {
+                    Console.WriteLine($"SSL protocols: {clientHelloInfo.SslProtocols}");
+
                     var serverOptions = new QuicServerConnectionOptions()
                     {
                         DefaultStreamErrorCode = Http3LoopbackConnection.H3_REQUEST_CANCELLED,

src/libraries/Common/tests/System/Net/Http/HttpAgnosticLoopbackServer.cs

@@ -80,7 +80,17 @@ public override async Task<GenericLoopbackConnection> EstablishGenericConnection
                         sslOptions.ApplicationProtocols = _options.SslApplicationProtocols;
                         sslOptions.ServerCertificate = cert;
 
-                        await sslStream.AuthenticateAsServerAsync(sslOptions, CancellationToken.None).ConfigureAwait(false);
+                        await sslStream.AuthenticateAsServerAsync((SslStream stream, SslClientHelloInfo clientHelloInfo, object? state, CancellationToken cancellationToken) =>
+                        {
+                            Console.WriteLine($"SSL protocols: {clientHelloInfo.SslProtocols}");
+
+                            SslServerAuthenticationOptions sslOptions = new SslServerAuthenticationOptions();
+
+                            sslOptions.EnabledSslProtocols = _options.SslProtocols;
+                            sslOptions.ApplicationProtocols = _options.SslApplicationProtocols;
+                            sslOptions.ServerCertificate = cert;
+                            return ValueTask.FromResult(sslOptions);
+                        }, null, CancellationToken.None).ConfigureAwait(false);
                     }
 
                     stream = sslStream;

src/libraries/Common/tests/System/Net/Http/LoopbackServer.cs

@@ -478,14 +478,19 @@ public static async Task<Connection> CreateAsync(SocketWrapper socket, Stream st
                 {
                     var sslStream = new SslStream(stream, false, delegate { return true; });
 #if !NETFRAMEWORK
-                    SslServerAuthenticationOptions sslOptions = new SslServerAuthenticationOptions()
+
+                    await sslStream.AuthenticateAsServerAsync((SslStream stream, SslClientHelloInfo clientHelloInfo, object? state, CancellationToken cancellationToken) =>
                     {
-                        EnabledSslProtocols = httpOptions.SslProtocols,
-                        ServerCertificateContext = httpOptions.CertificateContext ?? SslStreamCertificateContext.Create(Configuration.Certificates.GetServerCertificate(), null),
-                        ClientCertificateRequired = true,
-                    };
+                        Console.WriteLine($"SSL protocols: {clientHelloInfo.SslProtocols}");
 
-                    await sslStream.AuthenticateAsServerAsync(sslOptions, default).ConfigureAwait(false);
+                        SslServerAuthenticationOptions sslOptions = new SslServerAuthenticationOptions()
+                        {
+                            EnabledSslProtocols = httpOptions.SslProtocols,
+                            ServerCertificateContext = httpOptions.CertificateContext ?? SslStreamCertificateContext.Create(Configuration.Certificates.GetServerCertificate(), null),
+                            ClientCertificateRequired = true,
+                        };
+                        return ValueTask.FromResult(sslOptions);
+                    }, null, CancellationToken.None).ConfigureAwait(false);
 #else
                     using (X509Certificate2 cert = httpOptions.Certificate ?? Configuration.Certificates.GetServerCertificate())
                     {

src/libraries/System.Net.Http.WinHttpHandler/src/System/Net/Http/WinHttpHandler.cs

@@ -1176,40 +1176,43 @@ private void SetSessionHandleTlsOptions(SafeWinHttpHandle sessionHandle)
         {
             const SslProtocols Tls13 = (SslProtocols)12288; // enum is missing in .NET Standard
             uint optionData = 0;
-            SslProtocols sslProtocols =
-                (_sslProtocols == SslProtocols.None) ? SecurityProtocol.DefaultSecurityProtocols : _sslProtocols;
+
+            if (_sslProtocols == SslProtocols.None)
+            {
+                return;
+            }
 
 #pragma warning disable 0618 // SSL2/SSL3 are deprecated
-            if ((sslProtocols & SslProtocols.Ssl2) != 0)
+            if ((_sslProtocols & SslProtocols.Ssl2) != 0)
             {
                 optionData |= Interop.WinHttp.WINHTTP_FLAG_SECURE_PROTOCOL_SSL2;
             }
 
-            if ((sslProtocols & SslProtocols.Ssl3) != 0)
+            if ((_sslProtocols & SslProtocols.Ssl3) != 0)
             {
                 optionData |= Interop.WinHttp.WINHTTP_FLAG_SECURE_PROTOCOL_SSL3;
             }
 #pragma warning restore 0618
 
 #pragma warning disable SYSLIB0039 // TLS 1.0 and 1.1 are obsolete
-            if ((sslProtocols & SslProtocols.Tls) != 0)
+            if ((_sslProtocols & SslProtocols.Tls) != 0)
             {
                 optionData |= Interop.WinHttp.WINHTTP_FLAG_SECURE_PROTOCOL_TLS1;
             }
 
-            if ((sslProtocols & SslProtocols.Tls11) != 0)
+            if ((_sslProtocols & SslProtocols.Tls11) != 0)
             {
                 optionData |= Interop.WinHttp.WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1;
             }
 #pragma warning restore SYSLIB0039
 
-            if ((sslProtocols & SslProtocols.Tls12) != 0)
+            if ((_sslProtocols & SslProtocols.Tls12) != 0)
             {
                 optionData |= Interop.WinHttp.WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2;
             }
 
             // Set this only if supported by WinHttp version.
-            if (s_supportsTls13.Value && (sslProtocols & Tls13) != 0)
+            if (s_supportsTls13.Value && (_sslProtocols & Tls13) != 0)
             {
                 optionData |= Interop.WinHttp.WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3;
             }