HttpClient on net5 should fallback to TLS1.2 with Windows Insider builds

[zivkan]

Description

I'm on the NuGet team, and several customers (internal and external) have reported problems doing a restore and being unable to connect to api.nuget.org. I created a gist to test using HttpClientHandler with various SslProtocols values: https://gist.github.com/zivkan/5291f507c8c5724d41a18357b7afcd30

Here NuGet's customers reported their results: NuGet/Home#9893 (comment)

We can see that SslProtocols.None, which is supposed to be "use operating system defaults" works on netcoreapp3.1, but fails on net5.0. Therefore it appears that net5.0 is no longer using TLS 1.2 by default.

Configuration

Please see the thread on NuGet/Home: NuGet/Home#9893 (comment)

Regression?

yes, customers report that it works on netcoreapp3.1, but not net5.0.

Other information

Explicitly configuring HttpClientHandler to use SslProtocols.Tls12 works for customers writing their own app, but it doesn't help customers trying to use NuGet when NuGet doesn't attempt to specify SslProtocols at all, leaving the default value.

@terrajobst was the first to report this problem to me, so if you need someone internal to help test/reproduce the problem, he might be able to help.

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

[geoffkizer]

@wfurt Do you know what's going on here?

[tebeco]

to be more specific:
People with issue are using Windows Insider Build 20185 (not sure if it impact other build)

The RC1 used was 5.0.100-rc.1.20379.10 (nightly consumed by dotnet/AspNetCore on commit 983e7ed635f4d128edce4191b51869bd7be8aced)

	rc1 net5.0	rc1 netcoreapp3.1	preview7 net5.0	preview7 netcoreapp3.1
None	false	true	true	true
TLS12	true	true	true	true

        private static async Task<bool> TestProtocolAsync(SslProtocols protocol)
        {
            try
            {
                var httpMessageHandler = new HttpClientHandler()
                {
                    SslProtocols = protocol
                };
                var client = new HttpClient(httpMessageHandler);
                var request = new HttpRequestMessage(HttpMethod.Get, "https://api.nuget.org/v3/index.json");
                var response = await client.SendAsync(request);
                return true;
            }
            catch
            {
                return false;
            }
        }

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

[wfurt]

not yet @geoffkizer. I could not reproduce on older Windows version. I'm in process of getting latest insider build.
This works on normal Windows versions AFAIK.

[karelz]

This is likely a regression in Insider builds of Windows. There is new API in Windows that allows us to go to TLS 1.3 -- that API (or our usage of it) stopped working properly on latest Insider builds ... @wfurt is investigating.
cc @blowdart