Port #3126 to release/6.0 (#3127)

* Fix down-level SSL/TLS version warnings (#3126)

* Added test for downlevel connectivity warning

* Correctly test bit flags for legacy SSL protocol warning

* Corrected warning disablement/restore.

(cherry picked from commit 198b906)

* Test by rolling back changes to connection test matrix

---------

Co-authored-by: Edward Neal <[email protected]>

Author: benrr101

src/Microsoft.Data.SqlClient/src/Microsoft/Data/SqlClient/TdsParserHelperClasses.cs

@@ -768,30 +768,30 @@ private static string ToFriendlyName(this SslProtocols protocol)
                 name = "TLS 1.3";
             }*/
 #pragma warning disable CA5398 // Avoid hardcoded SslProtocols values
-            if ((protocol & SslProtocols.Tls12) == SslProtocols.Tls12)
+            if ((protocol & SslProtocols.Tls12) != SslProtocols.None)
             {
                 name = "TLS 1.2";
             }
 #if NET
 #pragma warning disable SYSLIB0039 // Type or member is obsolete: TLS 1.0 & 1.1 are deprecated
 #endif
-            else if ((protocol & SslProtocols.Tls11) == SslProtocols.Tls11)
+            else if ((protocol & SslProtocols.Tls11) != SslProtocols.None)
             {
                 name = "TLS 1.1";
             }
-            else if ((protocol & SslProtocols.Tls) == SslProtocols.Tls)
+            else if ((protocol & SslProtocols.Tls) != SslProtocols.None)
             {
                 name = "TLS 1.0";
             }
 #if NET
 #pragma warning restore SYSLIB0039 // Type or member is obsolete: SSL and TLS 1.0 & 1.1 is deprecated
 #endif
 #pragma warning disable CS0618 // Type or member is obsolete: SSL is deprecated
-            else if ((protocol & SslProtocols.Ssl3) == SslProtocols.Ssl3)
+            else if ((protocol & SslProtocols.Ssl3) != SslProtocols.None)
             {
                 name = "SSL 3.0";
             }
-            else if ((protocol & SslProtocols.Ssl2) == SslProtocols.Ssl2)
+            else if ((protocol & SslProtocols.Ssl2) != SslProtocols.None)
 #pragma warning restore CS0618 // Type or member is obsolete: SSL and TLS 1.0 & 1.1 is deprecated
             {
                 name = "SSL 2.0";

src/Microsoft.Data.SqlClient/tests/ManualTests/DataCommon/ConnectionTestParameters.cs

@@ -5,6 +5,7 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Security.Authentication;
 using System.Text;
 using System.Threading.Tasks;
 using Microsoft.SqlServer.TDS.PreLogin;
@@ -26,15 +27,21 @@ public class ConnectionTestParameters
         public string HostNameInCertificate => _hnic;
         public bool TestResult => _result;
         public TDSPreLoginTokenEncryptionType TdsEncryptionType => _encryptionType;
+        public SslProtocols EncryptionProtocols { get; }
 
         public ConnectionTestParameters(TDSPreLoginTokenEncryptionType tdsEncryptionType, SqlConnectionEncryptOption encryptOption, bool trustServerCert, string cert, string hnic, bool result)
+            : this(tdsEncryptionType, encryptOption, trustServerCert, cert, hnic, SslProtocols.Tls12, result)
+        { }
+
+        public ConnectionTestParameters(TDSPreLoginTokenEncryptionType tdsEncryptionType, SqlConnectionEncryptOption encryptOption, bool trustServerCert, string cert, string hnic, SslProtocols sslProtocols, bool result)
         {
             _encryptionOption = encryptOption;
             _trustServerCert = trustServerCert;
             _cert = cert;
             _hnic = hnic;
             _result = result;
             _encryptionType = tdsEncryptionType;
+            EncryptionProtocols = sslProtocols;
         }
     }
 }

src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/ConnectionTestWithSSLCert/CertificateTestWithTdsServer.cs

@@ -127,6 +127,7 @@ private void ConnectionTest(ConnectionTestParameters connectionTestParameters)
 #else
                 new X509Certificate2(s_fullPathToPfx, "nopassword", X509KeyStorageFlags.UserKeySet),
 #endif
+                encryptionProtocols: connectionTestParameters.EncryptionProtocols,
                 encryptionType: connectionTestParameters.TdsEncryptionType);
 
             builder = new(server.ConnectionString)

src/Microsoft.Data.SqlClient/tests/ManualTests/TracingTests/TestTdsServer.cs

@@ -7,6 +7,7 @@
 using System.Net;
 using System.Net.Sockets;
 using System.Runtime.CompilerServices;
+using System.Security.Authentication;
 using System.Security.Cryptography.X509Certificates;
 using Microsoft.SqlServer.TDS.EndPoint;
 using Microsoft.SqlServer.TDS.PreLogin;
@@ -31,7 +32,7 @@ public TestTdsServer(QueryEngine engine, TDSServerArguments args) : base(args)
 
         public static TestTdsServer StartServerWithQueryEngine(QueryEngine engine, bool enableFedAuth = false, bool enableLog = false,
             int connectionTimeout = DefaultConnectionTimeout, [CallerMemberName] string methodName = "",
-            X509Certificate2 encryptionCertificate = null, TDSPreLoginTokenEncryptionType encryptionType = TDSPreLoginTokenEncryptionType.NotSupported)
+            X509Certificate2 encryptionCertificate = null, SslProtocols encryptionProtocols = SslProtocols.Tls12, TDSPreLoginTokenEncryptionType encryptionType = TDSPreLoginTokenEncryptionType.NotSupported)
         {
             TDSServerArguments args = new TDSServerArguments()
             {
@@ -48,6 +49,7 @@ public static TestTdsServer StartServerWithQueryEngine(QueryEngine engine, bool
                 args.EncryptionCertificate = encryptionCertificate;
             }
 
+            args.EncryptionProtocols = encryptionProtocols;
             args.Encryption = encryptionType;
 
             TestTdsServer server = engine == null ? new TestTdsServer(args) : new TestTdsServer(engine, args);
@@ -83,9 +85,9 @@ public static TestTdsServer StartServerWithQueryEngine(QueryEngine engine, bool
 
         public static TestTdsServer StartTestServer(bool enableFedAuth = false, bool enableLog = false,
             int connectionTimeout = DefaultConnectionTimeout, [CallerMemberName] string methodName = "",
-            X509Certificate2 encryptionCertificate = null, TDSPreLoginTokenEncryptionType encryptionType = TDSPreLoginTokenEncryptionType.NotSupported)
+            X509Certificate2 encryptionCertificate = null, SslProtocols encryptionProtocols = SslProtocols.Tls12, TDSPreLoginTokenEncryptionType encryptionType = TDSPreLoginTokenEncryptionType.NotSupported)
         {
-            return StartServerWithQueryEngine(null, enableFedAuth, enableLog, connectionTimeout, methodName, encryptionCertificate, encryptionType);
+            return StartServerWithQueryEngine(null, enableFedAuth, enableLog, connectionTimeout, methodName, encryptionCertificate, encryptionProtocols, encryptionType);
         }
 
         public void Dispose() => _endpoint?.Stop();

src/Microsoft.Data.SqlClient/tests/tools/TDS/TDS.EndPoint/ITDSServerSession.cs

@@ -3,6 +3,7 @@
 // See the LICENSE file in the project root for more information.
 
 using System;
+using System.Security.Authentication;
 using System.Security.Cryptography.X509Certificates;
 using Microsoft.SqlServer.TDS.EndPoint.SSPI;
 
@@ -68,6 +69,11 @@ public interface ITDSServerSession
         /// </summary>
         X509Certificate EncryptionCertificate { get; }
 
+        /// <summary>
+        /// SSL/TLS protocols to use for transport encryption
+        /// </summary>
+        SslProtocols EncryptionProtocols { get; }
+
         /// <summary>
         /// Counter of connection reset requests for this session
         /// </summary>

src/Microsoft.Data.SqlClient/tests/tools/TDS/TDS.EndPoint/TDSParser.cs

@@ -25,11 +25,6 @@ public class TDSParser
         /// </summary>
         public TextWriter EventLog { get; set; }
 
-        /// <summary>
-        /// Encryption protocol for server to use with AuthenticateAsServer
-        /// </summary>
-        public static SslProtocols ServerSslProtocol { get; set; }
-
         /// <summary>
         /// Protocol stream between the client and the server
         /// </summary>
@@ -43,8 +38,6 @@ public TDSParser(Stream transport)
             // Save original transport
             _originalTransport = transport;
 
-            ServerSslProtocol = SslProtocols.Tls12;
-
             // Wrap transport layer with TDS
             Transport = new TDSStream(transport, false);
         }
@@ -57,14 +50,6 @@ public void SetTDSStreamPreWriteCallback(Func<byte[], int, int, ushort> funcTDSS
             Transport.PreWriteCallBack = funcTDSStreamPreWriteCallBack;
         }
 
-        /// <summary>
-        /// Resets the targeted encryption protocol for the server.
-        /// </summary>
-        public static void ResetTargetProtocol()
-        {
-            ServerSslProtocol = SslProtocols.Tls12;
-        }
-
         /// <summary>
         /// Enable transport encryption
         /// </summary>
@@ -105,7 +90,7 @@ protected void EnableClientTransportEncryption(string server)
         /// <summary>
         /// Enable transport encryption
         /// </summary>
-        protected void EnableServerTransportEncryption(X509Certificate certificate)
+        protected void EnableServerTransportEncryption(X509Certificate certificate, SslProtocols encryptionProtocols)
         {
             // Check if transport encryption is applied
             if (Transport.InnerStream is SslStream)
@@ -128,7 +113,7 @@ protected void EnableServerTransportEncryption(X509Certificate certificate)
             SslStream ssl = new SslStream(multiplexer, true);
 
             // Secure the channel
-            ssl.AuthenticateAsServer(certificate, false, ServerSslProtocol, false);
+            ssl.AuthenticateAsServer(certificate, false, encryptionProtocols, false);
 
             // Replace TDS stream with raw transport stream in multiplexer
             multiplexer.InnerStream = Transport.InnerStream;

src/Microsoft.Data.SqlClient/tests/tools/TDS/TDS.EndPoint/TDSServerParser.cs

@@ -146,7 +146,7 @@ public void Run()
                     if (Session.Encryption == TDSEncryptionType.LoginOnly || Session.Encryption == TDSEncryptionType.Full)
                     {
                         // Enable server side encryption
-                        EnableServerTransportEncryption(Session.EncryptionCertificate);
+                        EnableServerTransportEncryption(Session.EncryptionCertificate, Session.EncryptionProtocols);
                     }
                 }
 

src/Microsoft.Data.SqlClient/tests/tools/TDS/TDS.Servers/GenericTDSServer.cs

@@ -85,8 +85,9 @@ public virtual ITDSServerSession OpenSession()
             // Create a new session
             GenericTDSServerSession session = new GenericTDSServerSession(this, (uint)_sessionCount);
 
-            // Use configured encryption certificate
+            // Use configured encryption certificate and protocols
             session.EncryptionCertificate = Arguments.EncryptionCertificate;
+            session.EncryptionProtocols = Arguments.EncryptionProtocols;
 
             return session;
         }

src/Microsoft.Data.SqlClient/tests/tools/TDS/TDS.Servers/GenericTDSServerSession.cs

@@ -4,6 +4,7 @@
 
 using System;
 using System.Collections.Generic;
+using System.Security.Authentication;
 using System.Security.Cryptography.X509Certificates;
 using Microsoft.SqlServer.TDS.EndPoint;
 using Microsoft.SqlServer.TDS.EndPoint.SSPI;
@@ -78,6 +79,11 @@ public class GenericTDSServerSession : ITDSServerSession
         /// </summary>
         public X509Certificate EncryptionCertificate { get; set; }
 
+        /// <summary>
+        /// SSL/TLS protocols to use for transport encryption
+        /// </summary>
+        public SslProtocols EncryptionProtocols { get; set; }
+
         /// <summary>
         /// Nonce option sent by client
         /// </summary>

src/Microsoft.Data.SqlClient/tests/tools/TDS/TDS.Servers/TDSServerArguments.cs

@@ -4,6 +4,7 @@
 
 using System;
 using System.IO;
+using System.Security.Authentication;
 using System.Security.Cryptography.X509Certificates;
 using Microsoft.SqlServer.TDS.PreLogin;
 
@@ -69,6 +70,11 @@ public class TDSServerArguments
         /// </summary>
         public X509Certificate EncryptionCertificate { get; set; }
 
+        /// <summary>
+        /// SSL/TLS protocols to use for transport encryption
+        /// </summary>
+        public SslProtocols EncryptionProtocols { get; set; }
+
         /// <summary>
         /// Initialization constructor
         /// </summary>
@@ -88,6 +94,7 @@ public TDSServerArguments()
             FedAuthRequiredPreLoginOption = TdsPreLoginFedAuthRequiredOption.FedAuthNotRequired;
 
             EncryptionCertificate = new X509Certificate2("TdsServerCertificate.pfx", "SecretPassword123456");
+            EncryptionProtocols = SslProtocols.Tls12;
 
             ServerPrincipalName = AzureADServicePrincipalName;
             StsUrl = AzureADProductionTokenEndpoint;