Fixed: Added fallback and log errors when Tls1.2 clashes with https certificate with obsolete md5 hash.

2024-09-11 03:52:33 +02:00 · 2016-09-13 22:57:07 +02:00 · 2016-09-13 22:57:07 +02:00 · 816cf608fc
commit 816cf608fc
parent 713e109bc9
5 changed files with 40 additions and 7 deletions
--- a/src/NzbDrone.Common/Http/Dispatchers/ManagedHttpDispatcher.cs
+++ b/src/NzbDrone.Common/Http/Dispatchers/ManagedHttpDispatcher.cs
@ -1,7 +1,9 @@
 using System;
 using System.Net;
+using NzbDrone.Common.EnvironmentInfo;
 using NzbDrone.Common.Extensions;
 using NzbDrone.Common.Http.Proxy;
+using NzbDrone.Common.Security;

 namespace NzbDrone.Common.Http.Dispatchers
 {
@ -60,6 +62,11 @@ public HttpResponse GetResponse(HttpRequest request, CookieContainer cookies)
            }
            catch (WebException e)
            {
+                if (e.Status == WebExceptionStatus.SecureChannelFailure && OsInfo.IsWindows)
+                {
+                    SecurityProtocolPolicy.DisableTls12();
+                }
+
                httpWebResponse = (HttpWebResponse)e.Response;

                if (httpWebResponse == null)
@ -89,7 +96,7 @@ protected virtual void AddProxy(HttpWebRequest webRequest, HttpRequest request)
                webRequest.Proxy = _createManagedWebProxy.GetWebProxy(proxySettings);
            }
        }
-        
+
        protected virtual void AddRequestHeaders(HttpWebRequest webRequest, HttpHeader headers)
        {
            foreach (var header in headers)
--- a/src/NzbDrone.Common/Security/SecurityProtocolPolicy.cs
+++ b/src/NzbDrone.Common/Security/SecurityProtocolPolicy.cs
@ -24,6 +24,7 @@ public static void Register()
                    protocol |= Tls11;
                }

+                // Enabling Tls1.2 invalidates certificates using md5, so we disable Tls12 on the fly if that happens.
                if (Enum.IsDefined(typeof(SecurityProtocolType), Tls12))
                {
                    protocol |= Tls12;
@ -36,5 +37,23 @@ public static void Register()
                Logger.Debug(ex, "Failed to set TLS security protocol.");
            }
        }
+
+        public static void DisableTls12()
+        {
+            try
+            {
+                var protocol = ServicePointManager.SecurityProtocol;
+                if (protocol.HasFlag(Tls12))
+                {
+                    Logger.Warn("Disabled Tls1.2 due to remote certificate error.");
+
+                    ServicePointManager.SecurityProtocol = protocol & ~Tls12;
+                }
+            }
+            catch (Exception ex)
+            {
+                Logger.Debug(ex, "Failed to disable TLS 1.2 security protocol.");
+            }
+        }
    }
 }
--- a/src/NzbDrone.Common/Security/X509CertificateValidationPolicy.cs
+++ b/src/NzbDrone.Common/Security/X509CertificateValidationPolicy.cs
@ -24,6 +24,13 @@ private static bool ShouldByPassValidationError(object sender, X509Certificate c
                return true;
            }

+            var req = sender as HttpWebRequest;
+            var cert2 = certificate as X509Certificate2;
+            if (cert2 != null && req != null && cert2.SignatureAlgorithm.FriendlyName == "md5RSA")
+            {
+                Logger.Error("https://{0} uses the obsolete md5 hash in it's https certificate, if that is your certificate, please (re)create certificate with better algorithm as soon as possible.", req.RequestUri.Authority);
+            }
+
            if (sslPolicyErrors == SslPolicyErrors.None)
            {
                return true;
@ -34,4 +41,4 @@ private static bool ShouldByPassValidationError(object sender, X509Certificate c
            return true;
        }
    }
-}
+}
--- a/src/NzbDrone.Host/Bootstrap.cs
+++ b/src/NzbDrone.Host/Bootstrap.cs
@ -21,8 +21,8 @@ public static void Start(StartupContext startupContext, IUserAlert userAlert, Ac
        {
            try
            {
-                X509CertificateValidationPolicy.Register();
                SecurityProtocolPolicy.Register();
+                X509CertificateValidationPolicy.Register();

                Logger.Info("Starting Sonarr - {0} - Version {1}", Assembly.GetCallingAssembly().Location, Assembly.GetExecutingAssembly().GetName().Version);

@ -144,4 +144,4 @@ private static bool IsInUtilityMode(ApplicationModes applicationMode)
            }
        }
    }
-}
+}
--- a/src/NzbDrone.Update/UpdateApp.cs
+++ b/src/NzbDrone.Update/UpdateApp.cs
@ -30,14 +30,14 @@ public static void Main(string[] args)
        {
            try
            {
+                SecurityProtocolPolicy.Register();
+                X509CertificateValidationPolicy.Register();
+
                var startupArgument = new StartupContext(args);
                NzbDroneLogger.Register(startupArgument, true, true);

                Logger.Info("Starting Sonarr Update Client");

-                X509CertificateValidationPolicy.Register();
-                SecurityProtocolPolicy.Register();
-
                _container = UpdateContainerBuilder.Build(startupArgument);

                _container.Resolve<UpdateApp>().Start(args);