Fixed: Added fallback and log errors when Tls1.2 clashes with https certificate with obsolete md5 hash.
This commit is contained in:
Taloth Saldono
parent
713e109bc9
commit
816cf608fc
|
|
@ -1,7 +1,9 @@
|
||||||
using System;
|
using System;
|
||||||
using System.Net;
|
using System.Net;
|
||||||
|
using NzbDrone.Common.EnvironmentInfo;
|
||||||
using NzbDrone.Common.Extensions;
|
using NzbDrone.Common.Extensions;
|
||||||
using NzbDrone.Common.Http.Proxy;
|
using NzbDrone.Common.Http.Proxy;
|
||||||
|
using NzbDrone.Common.Security;
|
||||||
|
|
||||||
namespace NzbDrone.Common.Http.Dispatchers
|
namespace NzbDrone.Common.Http.Dispatchers
|
||||||
{
|
{
|
||||||
|
|
@ -60,6 +62,11 @@ namespace NzbDrone.Common.Http.Dispatchers
|
||||||
}
|
}
|
||||||
catch (WebException e)
|
catch (WebException e)
|
||||||
{
|
{
|
||||||
|
if (e.Status == WebExceptionStatus.SecureChannelFailure && OsInfo.IsWindows)
|
||||||
|
{
|
||||||
|
SecurityProtocolPolicy.DisableTls12();
|
||||||
|
}
|
||||||
|
|
||||||
httpWebResponse = (HttpWebResponse)e.Response;
|
httpWebResponse = (HttpWebResponse)e.Response;
|
||||||
|
|
||||||
if (httpWebResponse == null)
|
if (httpWebResponse == null)
|
||||||
|
|
@ -89,7 +96,7 @@ namespace NzbDrone.Common.Http.Dispatchers
|
||||||
webRequest.Proxy = _createManagedWebProxy.GetWebProxy(proxySettings);
|
webRequest.Proxy = _createManagedWebProxy.GetWebProxy(proxySettings);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
protected virtual void AddRequestHeaders(HttpWebRequest webRequest, HttpHeader headers)
|
protected virtual void AddRequestHeaders(HttpWebRequest webRequest, HttpHeader headers)
|
||||||
{
|
{
|
||||||
foreach (var header in headers)
|
foreach (var header in headers)
|
||||||
|
|
|
||||||
|
|
@ -24,6 +24,7 @@ namespace NzbDrone.Common.Security
|
||||||
protocol |= Tls11;
|
protocol |= Tls11;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Enabling Tls1.2 invalidates certificates using md5, so we disable Tls12 on the fly if that happens.
|
||||||
if (Enum.IsDefined(typeof(SecurityProtocolType), Tls12))
|
if (Enum.IsDefined(typeof(SecurityProtocolType), Tls12))
|
||||||
{
|
{
|
||||||
protocol |= Tls12;
|
protocol |= Tls12;
|
||||||
|
|
@ -36,5 +37,23 @@ namespace NzbDrone.Common.Security
|
||||||
Logger.Debug(ex, "Failed to set TLS security protocol.");
|
Logger.Debug(ex, "Failed to set TLS security protocol.");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static void DisableTls12()
|
||||||
|
{
|
||||||
|
try
|
||||||
|
{
|
||||||
|
var protocol = ServicePointManager.SecurityProtocol;
|
||||||
|
if (protocol.HasFlag(Tls12))
|
||||||
|
{
|
||||||
|
Logger.Warn("Disabled Tls1.2 due to remote certificate error.");
|
||||||
|
|
||||||
|
ServicePointManager.SecurityProtocol = protocol & ~Tls12;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
catch (Exception ex)
|
||||||
|
{
|
||||||
|
Logger.Debug(ex, "Failed to disable TLS 1.2 security protocol.");
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -24,6 +24,13 @@ namespace NzbDrone.Common.Security
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var req = sender as HttpWebRequest;
|
||||||
|
var cert2 = certificate as X509Certificate2;
|
||||||
|
if (cert2 != null && req != null && cert2.SignatureAlgorithm.FriendlyName == "md5RSA")
|
||||||
|
{
|
||||||
|
Logger.Error("https://{0} uses the obsolete md5 hash in it's https certificate, if that is your certificate, please (re)create certificate with better algorithm as soon as possible.", req.RequestUri.Authority);
|
||||||
|
}
|
||||||
|
|
||||||
if (sslPolicyErrors == SslPolicyErrors.None)
|
if (sslPolicyErrors == SslPolicyErrors.None)
|
||||||
{
|
{
|
||||||
return true;
|
return true;
|
||||||
|
|
@ -34,4 +41,4 @@ namespace NzbDrone.Common.Security
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -21,8 +21,8 @@ namespace NzbDrone.Host
|
||||||
{
|
{
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
X509CertificateValidationPolicy.Register();
|
|
||||||
SecurityProtocolPolicy.Register();
|
SecurityProtocolPolicy.Register();
|
||||||
|
X509CertificateValidationPolicy.Register();
|
||||||
|
|
||||||
Logger.Info("Starting Sonarr - {0} - Version {1}", Assembly.GetCallingAssembly().Location, Assembly.GetExecutingAssembly().GetName().Version);
|
Logger.Info("Starting Sonarr - {0} - Version {1}", Assembly.GetCallingAssembly().Location, Assembly.GetExecutingAssembly().GetName().Version);
|
||||||
|
|
||||||
|
|
@ -144,4 +144,4 @@ namespace NzbDrone.Host
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -30,14 +30,14 @@ namespace NzbDrone.Update
|
||||||
{
|
{
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
|
SecurityProtocolPolicy.Register();
|
||||||
|
X509CertificateValidationPolicy.Register();
|
||||||
|
|
||||||
var startupArgument = new StartupContext(args);
|
var startupArgument = new StartupContext(args);
|
||||||
NzbDroneLogger.Register(startupArgument, true, true);
|
NzbDroneLogger.Register(startupArgument, true, true);
|
||||||
|
|
||||||
Logger.Info("Starting Sonarr Update Client");
|
Logger.Info("Starting Sonarr Update Client");
|
||||||
|
|
||||||
X509CertificateValidationPolicy.Register();
|
|
||||||
SecurityProtocolPolicy.Register();
|
|
||||||
|
|
||||||
_container = UpdateContainerBuilder.Build(startupArgument);
|
_container = UpdateContainerBuilder.Build(startupArgument);
|
||||||
|
|
||||||
_container.Resolve<UpdateApp>().Start(args);
|
_container.Resolve<UpdateApp>().Start(args);
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue