Do not set the TLS version (#1197)

SonarSource · Feb 9, 2022 · 290ed63 · 290ed63
1 parent 093ed4e
commit 290ed63
Show file tree

Hide file tree

Showing 7 changed files with 3 additions and 180 deletions.
diff --git a/Tests/SonarScanner.MSBuild.PreProcessor.Test/WebClientDownloaderTest.cs b/Tests/SonarScanner.MSBuild.PreProcessor.Test/WebClientDownloaderTest.cs
@@ -22,7 +22,6 @@
 using System.Net;
 using FluentAssertions;
 using Microsoft.VisualStudio.TestTools.UnitTesting;
-using Moq;
 using SonarScanner.MSBuild.Common;
 using TestUtilities;
 
@@ -31,49 +30,6 @@ namespace SonarScanner.MSBuild.PreProcessor.Test
     [TestClass]
     public class WebClientDownloaderTest
     {
-        [TestMethod]
-        public void Ctor_SecurityProtocolIsDefault_RemainsDefault()
-        {
-            // Arrange
-            var securityProtocolHandlerMock = new Mock<ISecurityProtocolHandler>();
-            securityProtocolHandlerMock.Setup(x => x.SecurityProtocol).Returns(SecurityProtocolType.SystemDefault);
-
-            // Act & Assert
-            _ = new WebClientDownloader(null, null, new TestLogger(), securityProtocolHandlerMock.Object, null, null);
-
-            securityProtocolHandlerMock.VerifySet(x => x.SecurityProtocol = It.IsAny<SecurityProtocolType>(), Times.Never);
-        }
-
-        [TestMethod]
-        public void Ctor_SecurityProtocolIsNotDefault_AllTlsVersionsAreEnabled()
-        {
-            // Arrange
-            var securityProtocolHandlerMock = new Mock<ISecurityProtocolHandler>();
-            var isNeverDefault = SecurityProtocolType.Ssl3;
-            securityProtocolHandlerMock.Setup(x => x.SecurityProtocol).Returns(isNeverDefault);
-
-            // Act
-            _ = new WebClientDownloader(null, null, new TestLogger(), securityProtocolHandlerMock.Object, null, null);
-
-            // Assert
-            securityProtocolHandlerMock.VerifySet(x => x.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls);
-        }
-
-        [TestMethod]
-        public void Ctor_SecurityProtocolIsNotDefault_MessageLogged()
-        {
-            // Arrange
-            var securityProtocolHandlerMock = new Mock<ISecurityProtocolHandler>();
-            securityProtocolHandlerMock.Setup(x => x.SecurityProtocol).Returns(SecurityProtocolType.Ssl3);
-            var loggerMock = new Mock<ILogger>();
-
-            // Act
-            _ = new WebClientDownloader(null, null, loggerMock.Object, securityProtocolHandlerMock.Object, null, null);
-
-            // Assert
-            loggerMock.Verify(x => x.LogWarning(Resources.MSG_VulnerableTLSMightBeUsed), Times.Once());
-        }
-
         [TestMethod]
         public void Credentials()
         {
@@ -165,8 +121,7 @@ public void UsingClientCert()
         public void Implements_Dispose()
         {
             // Arrange
-            var securityProtocolHandlerMock = new Mock<ISecurityProtocolHandler>();
-            var testDownloader = new TestDownloader(null, null, new TestLogger(), securityProtocolHandlerMock.Object, null, null);
+            var testDownloader = new TestDownloader(null, null, new TestLogger(), null, null);
 
             // Act
             testDownloader.Dispose();
@@ -179,8 +134,7 @@ public void Implements_Dispose()
         public void MultipleDisposeCallsNotFailing()
         {
             // Arrange
-            var securityProtocolHandlerMock = new Mock<ISecurityProtocolHandler>();
-            var testDownloader = new TestDownloader(null, null, new TestLogger(), securityProtocolHandlerMock.Object, null, null);
+            var testDownloader = new TestDownloader(null, null, new TestLogger(), null, null);
 
             // Act
             testDownloader.Dispose();
@@ -194,13 +148,7 @@ private sealed class TestDownloader : WebClientDownloader
         {
             public bool IsDisposedCalled { get; private set; } = false;
 
-            public TestDownloader(string userName,
-                                  string password,
-                                  ILogger logger,
-                                  ISecurityProtocolHandler securityProtocolHandler,
-                                  string clientCertPath = null,
-                                  string clientCertPassword = null)
-                : base(userName, password, logger, securityProtocolHandler, clientCertPath, clientCertPassword) { }
+            public TestDownloader(string userName, string password, ILogger logger, string clientCertPath = null, string clientCertPassword = null) : base(userName, password, logger,  clientCertPath, clientCertPassword) { }
 
             protected override void Dispose(bool disposing)
             {

diff --git a/src/SonarScanner.MSBuild.PreProcessor/Interfaces/ISecurityProtocolHandler.cs b/src/SonarScanner.MSBuild.PreProcessor/Interfaces/ISecurityProtocolHandler.cs
diff --git a/src/SonarScanner.MSBuild.PreProcessor/Properties/InternalsVisibleTo.cs b/src/SonarScanner.MSBuild.PreProcessor/Properties/InternalsVisibleTo.cs
diff --git a/src/SonarScanner.MSBuild.PreProcessor/Resources.Designer.cs b/src/SonarScanner.MSBuild.PreProcessor/Resources.Designer.cs
diff --git a/src/SonarScanner.MSBuild.PreProcessor/Resources.resx b/src/SonarScanner.MSBuild.PreProcessor/Resources.resx
@@ -237,9 +237,6 @@ Use '/?' or '/h' to see the help message.</value>
   <data name="MSG_UpdatingMSBuildTargets" xml:space="preserve">
     <value>Updating build integration targets...</value>
   </data>
-  <data name="MSG_VulnerableTLSMightBeUsed" xml:space="preserve">
-    <value>It seems like an older version of the runtime is used and vulnerable TLS versions might be enabled. Please ensure the environment is secure.</value>
-  </data>
   <data name="RAP_AdditionalFileAlreadyExists" xml:space="preserve">
     <value>A Roslyn analyzer "additional file" named "{0}" already exists at {1}. The existing file will not be overwritten.</value>
   </data>

diff --git a/src/SonarScanner.MSBuild.PreProcessor/SecurityProtocolHandler.cs b/src/SonarScanner.MSBuild.PreProcessor/SecurityProtocolHandler.cs
diff --git a/src/SonarScanner.MSBuild.PreProcessor/WebClientDownloader.cs b/src/SonarScanner.MSBuild.PreProcessor/WebClientDownloader.cs
@@ -32,31 +32,14 @@ namespace SonarScanner.MSBuild.PreProcessor
 {
     public class WebClientDownloader : IDownloader
     {
-        // This is a temporary solution until we upgrade to .net framework 4.7.
-        private const SecurityProtocolType SystemDefault = 0;
-
         private readonly ILogger logger;
         private readonly HttpClient client;
 
         public WebClientDownloader(string userName, string password, ILogger logger, string clientCertPath = null, string clientCertPassword = null)
-            : this(userName, password, logger, new SecurityProtocolHandler(), clientCertPath, clientCertPassword) { }
-
-        internal /* for testing */ WebClientDownloader(string userName,
-                                                       string password,
-                                                       ILogger logger,
-                                                       ISecurityProtocolHandler securityProtocolHandler,
-                                                       string clientCertPath = null,
-                                                       string clientCertPassword = null)
         {
             this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
             password = password ?? string.Empty;
 
-            if (securityProtocolHandler.SecurityProtocol != SystemDefault)
-            {
-                securityProtocolHandler.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;
-                logger.LogWarning(Resources.MSG_VulnerableTLSMightBeUsed);
-            }
-
             if (clientCertPath != null && clientCertPassword != null) // password mandatory, as to use client cert in .jar it cannot be with empty password
             {
                 var clientHandler = new HttpClientHandler { ClientCertificateOptions = ClientCertificateOption.Manual };