Fixed: Added fallback and log errors when Tls1.2 clashes with https certificate with obsolete md5 hash.

src/NzbDrone.Common/Http/Dispatchers/ManagedHttpDispatcher.cs

@@ -1,7 +1,9 @@
 using System;
 using System.Net;
+using NzbDrone.Common.EnvironmentInfo;
 using NzbDrone.Common.Extensions;
 using NzbDrone.Common.Http.Proxy;
+using NzbDrone.Common.Security;
 
 namespace NzbDrone.Common.Http.Dispatchers
 {
@@ -60,6 +62,11 @@ public HttpResponse GetResponse(HttpRequest request, CookieContainer cookies)
             }
             catch (WebException e)
             {
+                if (e.Status == WebExceptionStatus.SecureChannelFailure && OsInfo.IsWindows)
+                {
+                    SecurityProtocolPolicy.DisableTls12();
+                }
+
                 httpWebResponse = (HttpWebResponse)e.Response;
 
                 if (httpWebResponse == null)

src/NzbDrone.Common/Security/SecurityProtocolPolicy.cs

@@ -24,6 +24,7 @@ public static void Register()
                     protocol |= Tls11;
                 }
 
+                // Enabling Tls1.2 invalidates certificates using md5, so we disable Tls12 on the fly if that happens.
                 if (Enum.IsDefined(typeof(SecurityProtocolType), Tls12))
                 {
                     protocol |= Tls12;
@@ -36,5 +37,23 @@ public static void Register()
                 Logger.Debug(ex, "Failed to set TLS security protocol.");
             }
         }
+
+        public static void DisableTls12()
+        {
+            try
+            {
+                var protocol = ServicePointManager.SecurityProtocol;
+                if (protocol.HasFlag(Tls12))
+                {
+                    Logger.Warn("Disabled Tls1.2 due to remote certificate error.");
+
+                    ServicePointManager.SecurityProtocol = protocol & ~Tls12;
+                }
+            }
+            catch (Exception ex)
+            {
+                Logger.Debug(ex, "Failed to disable TLS 1.2 security protocol.");
+            }
+        }
     }
 }

src/NzbDrone.Common/Security/X509CertificateValidationPolicy.cs

@@ -24,6 +24,13 @@ private static bool ShouldByPassValidationError(object sender, X509Certificate c
                 return true;
             }
 
+            var req = sender as HttpWebRequest;
+            var cert2 = certificate as X509Certificate2;
+            if (cert2 != null && req != null && cert2.SignatureAlgorithm.FriendlyName == "md5RSA")
+            {
+                Logger.Error("https://{0} uses the obsolete md5 hash in it's https certificate, if that is your certificate, please (re)create certificate with better algorithm as soon as possible.", req.RequestUri.Authority);
+            }
+
             if (sslPolicyErrors == SslPolicyErrors.None)
             {
                 return true;

src/NzbDrone.Host/Bootstrap.cs

@@ -21,8 +21,8 @@ public static void Start(StartupContext startupContext, IUserAlert userAlert, Ac
         {
             try
             {
-                X509CertificateValidationPolicy.Register();
                 SecurityProtocolPolicy.Register();
+                X509CertificateValidationPolicy.Register();
 
                 Logger.Info("Starting Sonarr - {0} - Version {1}", Assembly.GetCallingAssembly().Location, Assembly.GetExecutingAssembly().GetName().Version);
 

src/NzbDrone.Update/UpdateApp.cs

@@ -30,14 +30,14 @@ public static void Main(string[] args)
         {
             try
             {
+                SecurityProtocolPolicy.Register();
+                X509CertificateValidationPolicy.Register();
+
                 var startupArgument = new StartupContext(args);
                 NzbDroneLogger.Register(startupArgument, true, true);
 
                 Logger.Info("Starting Sonarr Update Client");
 
-                X509CertificateValidationPolicy.Register();
-                SecurityProtocolPolicy.Register();
-
                 _container = UpdateContainerBuilder.Build(startupArgument);
 
                 _container.Resolve<UpdateApp>().Start(args);