Force-allow TLS 1.2 on .NET 4.5

[HebaruSan]

Background

• GitHub has sunsetted TLS 1/1.1 as of today. They gave us one year's warning, but apparently we missed it or didn't realize it applied to us (or assumed that .NET would handle it properly for us). This means the only way to access an HTTPS URL on GitHub is now via TLS 1.2.
• .NET 4.5 can support TLS 1.2, but it is not enabled by default. .NET 4.6 enables it by default.
• CKAN targets .NET 4.5. Even if you have a later version installed, the behavior of the .NET components will mimic .NET 4.5.

Problem

Released versions of CKAN can't access GitHub HTTPS URLs anymore. They cause TLS errors.

CKAN uses GitHub HTTPS URLs not just for mod downloads, but also for registry updates and application self-auto-updates. So you can't even refresh the registry or update CKAN itself.

Workaround

You can force .NET 4.5 to allow only TLS 1.2 by setting a registry key. This allows current versions of CKAN to work:

• Auto-update and other GitHub connections not working #2293 (comment)

However, this affects all applications rather than just CKAN, which might cause problems if any of them need TLS 1/1.1 to operate. Caution is advised.

Until we release a new version, this is the only option for getting CKAN to work.

Considered but not done

One way to fix this would be to change TargetFrameworkVersion in our csproj files from v4.5 to v4.6. We probably don't want to do this because some fraction of people might still be running the old framework and would see errors. If you think this is the better solution, please say so below.

Changes

Now we add SecurityProtocolTypes.Tls12 to System.Net.ServicePointManager.SecurityProtocol at startup via an OR-equals |= operator. This enables TLS 1.2 while ensuring that no other supported protocols are disabled.

Credit to @TruePikachu for proposing this solution.

Fixes #2293.

[HebaruSan]

Hmm, we're compiling against some Mono versions that don't have SecurityProtocolTypes.Tls12. But how does that square with our TargetFrameworkVersion of v4.5, which should have it?

[politas]

Sounds like we need to move to Mono 5.0 and above,We'll be screwing over Debian users again, since even the current Unstable branch (Sid) only has Mono 4.6. If this is the only way to get us working with GitHub again, though...

[sundhaug92]

Since this is likely to cause headache for users, should an emergency release be considered?

[politas]

https://github.com/KSP-CKAN/CKAN/releases/latest

[sundhaug92]

ty @politas

[Ruedii]

This is causing serious problems on Ubuntu. You need to use some sort of case on this line so it only enables it on platforms that need it.

One option is to check for the existence of the function object node in question and only execute the routine if that node exists. I'm not quite sure how to do that in C#, but this is how I would approach the problem in a shell script, JavaScript/ECMA script or python script.

[HebaruSan]

@Ruedii, the way to report problems is to create an issue, not post random vague comments on old closed pull requests.

[Ruedii]

@HebaruSan Sorry, I replied on the thread it belongs in (your thread on the identical Arch Linux issue.)

Next time could you try to be a little more gentle with your correction. I know you almost missed my comment, and hence I understand, but I initially took offense until I realized you were trying to be constructive.

Also, upon further examination of the situation (and what platforms .Net 4.6 is available on) the better option is to remove this patch entirely and just require .Net 4.6 where TLS 1.2 is enabled by default.

This should hopefully have no adverse effects, and won't require any detection or force-enabling.

Hence I'd like to formally request this pull be undone and replaced with simply building for .Net 4.6