From 816cf608fcef07e375aa750a863d0a7365108981 Mon Sep 17 00:00:00 2001 From: Taloth Saldono Date: Tue, 13 Sep 2016 22:57:07 +0200 Subject: [PATCH] Fixed: Added fallback and log errors when Tls1.2 clashes with https certificate with obsolete md5 hash. --- .../Http/Dispatchers/ManagedHttpDispatcher.cs | 9 ++++++++- .../Security/SecurityProtocolPolicy.cs | 19 +++++++++++++++++++ .../X509CertificateValidationPolicy.cs | 9 ++++++++- src/NzbDrone.Host/Bootstrap.cs | 4 ++-- src/NzbDrone.Update/UpdateApp.cs | 6 +++--- 5 files changed, 40 insertions(+), 7 deletions(-) diff --git a/src/NzbDrone.Common/Http/Dispatchers/ManagedHttpDispatcher.cs b/src/NzbDrone.Common/Http/Dispatchers/ManagedHttpDispatcher.cs index 4cd2a73bc..6fdef87c1 100644 --- a/src/NzbDrone.Common/Http/Dispatchers/ManagedHttpDispatcher.cs +++ b/src/NzbDrone.Common/Http/Dispatchers/ManagedHttpDispatcher.cs @@ -1,7 +1,9 @@ using System; using System.Net; +using NzbDrone.Common.EnvironmentInfo; using NzbDrone.Common.Extensions; using NzbDrone.Common.Http.Proxy; +using NzbDrone.Common.Security; namespace NzbDrone.Common.Http.Dispatchers { @@ -60,6 +62,11 @@ public HttpResponse GetResponse(HttpRequest request, CookieContainer cookies) } catch (WebException e) { + if (e.Status == WebExceptionStatus.SecureChannelFailure && OsInfo.IsWindows) + { + SecurityProtocolPolicy.DisableTls12(); + } + httpWebResponse = (HttpWebResponse)e.Response; if (httpWebResponse == null) @@ -89,7 +96,7 @@ protected virtual void AddProxy(HttpWebRequest webRequest, HttpRequest request) webRequest.Proxy = _createManagedWebProxy.GetWebProxy(proxySettings); } } - + protected virtual void AddRequestHeaders(HttpWebRequest webRequest, HttpHeader headers) { foreach (var header in headers) diff --git a/src/NzbDrone.Common/Security/SecurityProtocolPolicy.cs b/src/NzbDrone.Common/Security/SecurityProtocolPolicy.cs index c08acd6a5..03fcb97d2 100644 --- a/src/NzbDrone.Common/Security/SecurityProtocolPolicy.cs +++ b/src/NzbDrone.Common/Security/SecurityProtocolPolicy.cs @@ -24,6 +24,7 @@ public static void Register() protocol |= Tls11; } + // Enabling Tls1.2 invalidates certificates using md5, so we disable Tls12 on the fly if that happens. if (Enum.IsDefined(typeof(SecurityProtocolType), Tls12)) { protocol |= Tls12; @@ -36,5 +37,23 @@ public static void Register() Logger.Debug(ex, "Failed to set TLS security protocol."); } } + + public static void DisableTls12() + { + try + { + var protocol = ServicePointManager.SecurityProtocol; + if (protocol.HasFlag(Tls12)) + { + Logger.Warn("Disabled Tls1.2 due to remote certificate error."); + + ServicePointManager.SecurityProtocol = protocol & ~Tls12; + } + } + catch (Exception ex) + { + Logger.Debug(ex, "Failed to disable TLS 1.2 security protocol."); + } + } } } diff --git a/src/NzbDrone.Common/Security/X509CertificateValidationPolicy.cs b/src/NzbDrone.Common/Security/X509CertificateValidationPolicy.cs index bbeacef3d..1ef25694e 100644 --- a/src/NzbDrone.Common/Security/X509CertificateValidationPolicy.cs +++ b/src/NzbDrone.Common/Security/X509CertificateValidationPolicy.cs @@ -24,6 +24,13 @@ private static bool ShouldByPassValidationError(object sender, X509Certificate c return true; } + var req = sender as HttpWebRequest; + var cert2 = certificate as X509Certificate2; + if (cert2 != null && req != null && cert2.SignatureAlgorithm.FriendlyName == "md5RSA") + { + Logger.Error("https://{0} uses the obsolete md5 hash in it's https certificate, if that is your certificate, please (re)create certificate with better algorithm as soon as possible.", req.RequestUri.Authority); + } + if (sslPolicyErrors == SslPolicyErrors.None) { return true; @@ -34,4 +41,4 @@ private static bool ShouldByPassValidationError(object sender, X509Certificate c return true; } } -} \ No newline at end of file +} diff --git a/src/NzbDrone.Host/Bootstrap.cs b/src/NzbDrone.Host/Bootstrap.cs index 0422665ad..24a151eeb 100644 --- a/src/NzbDrone.Host/Bootstrap.cs +++ b/src/NzbDrone.Host/Bootstrap.cs @@ -21,8 +21,8 @@ public static void Start(StartupContext startupContext, IUserAlert userAlert, Ac { try { - X509CertificateValidationPolicy.Register(); SecurityProtocolPolicy.Register(); + X509CertificateValidationPolicy.Register(); Logger.Info("Starting Sonarr - {0} - Version {1}", Assembly.GetCallingAssembly().Location, Assembly.GetExecutingAssembly().GetName().Version); @@ -144,4 +144,4 @@ private static bool IsInUtilityMode(ApplicationModes applicationMode) } } } -} \ No newline at end of file +} diff --git a/src/NzbDrone.Update/UpdateApp.cs b/src/NzbDrone.Update/UpdateApp.cs index ca3542838..bad208032 100644 --- a/src/NzbDrone.Update/UpdateApp.cs +++ b/src/NzbDrone.Update/UpdateApp.cs @@ -30,14 +30,14 @@ public static void Main(string[] args) { try { + SecurityProtocolPolicy.Register(); + X509CertificateValidationPolicy.Register(); + var startupArgument = new StartupContext(args); NzbDroneLogger.Register(startupArgument, true, true); Logger.Info("Starting Sonarr Update Client"); - X509CertificateValidationPolicy.Register(); - SecurityProtocolPolicy.Register(); - _container = UpdateContainerBuilder.Build(startupArgument); _container.Resolve().Start(args);