Merge pull request #255 from MediaPortal/MP1-5195-Set_higher_TLS_secu…

…rity_for_NET_Framework_4 MP1-5195: Set higher TLS security for NET Framework 4
MediaPortal · Jan 19, 2024 · 8d28d2e · 8d28d2e
2 parents 89117ae + ffbdbeb
commit 8d28d2e
Show file tree

Hide file tree

Showing 10 changed files with 118 additions and 9 deletions.
diff --git a/Tools/MediaPortal.DeployTool/Program.cs b/Tools/MediaPortal.DeployTool/Program.cs
@@ -33,7 +33,20 @@ internal static class Program
     private static void Main()
     {
       // .NET 4.0: Use TLS v1.2. Many download sources no longer support the older and now insecure TLS v1.0/1.1 and SSL v3.
-      ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xc00;
+      try
+      {
+        //TLS 1.2 and 1.3
+        ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xc00 | (SecurityProtocolType)0x3000;
+      }
+      catch (NotSupportedException)
+      {
+        //TLS 1.2 only
+        ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xc00;
+      }
+
+      //Set TLS Schannel to higher security
+      Utils.SetHigherNetFramework4TlsSecurity();
+
       if (Utils.CheckStartupPath())
       {
         Application.EnableVisualStyles();

diff --git a/Tools/MediaPortal.DeployTool/Utils.cs b/Tools/MediaPortal.DeployTool/Utils.cs
@@ -955,6 +955,30 @@ public static void FixMediaPortal64RegistryPath(string strName)
       }
     }
 
+    /// <summary>
+    /// Set higher TLS security for NET 4.0 applications by using 'SchUseStrongCrypto' registry key
+    /// </summary>
+    public static void SetHigherNetFramework4TlsSecurity()
+    {
+      //https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls
+      //Setting registry keys affects all applications on the system.
+      //A value of 1 causes your app to use strong cryptography.
+      //The strong cryptography uses more secure network protocols (TLS 1.2 and TLS 1.1) and blocks protocols that aren't secure.
+      //This registry setting affects only client (outgoing) connections in your application.
+
+      const string PATH = @"SOFTWARE\Microsoft\.NETFramework\v4.0.30319";
+      const string KEY_VALUE_NAME = "SchUseStrongCrypto";
+
+      RegistryKey key = Registry.LocalMachine.OpenSubKey(PATH, true);
+      if (key == null)
+        key = Registry.LocalMachine.CreateSubKey(PATH);
+
+      if ((int)key.GetValue(KEY_VALUE_NAME, 0) == 0)
+        key.SetValue(KEY_VALUE_NAME, 1);
+
+      key.Close();
+    }
+
     #endregion
   }
 }
diff --git a/TvEngine3/TVLibrary/SetupTv/Startup.cs b/TvEngine3/TVLibrary/SetupTv/Startup.cs
@@ -102,7 +102,16 @@ public static void Application_ThreadException(object sender, ThreadExceptionEve
     public static void Main(string[] arguments)
     {
       // .NET 4.0: Use TLS v1.2. Many download sources no longer support the older and now insecure TLS v1.0/1.1 and SSL v3.
-      ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xc00;
+      try
+      {
+        //TLS 1.2 and 1.3
+        ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xc00 | (SecurityProtocolType)0x3000;
+      }
+      catch (NotSupportedException)
+      {
+        //TLS 1.2 only
+        ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xc00;
+      }
       // Init Common logger -> this will enable TVPlugin to write in the Mediaportal.log file
       var loggerName = Path.GetFileNameWithoutExtension(Environment.GetCommandLineArgs()[0]);
       var dataPath = Log.GetPathName();

diff --git a/TvEngine3/TVLibrary/TvService/Service1.cs b/TvEngine3/TVLibrary/TvService/Service1.cs
@@ -127,7 +127,16 @@ private void CurrentDomain_UnhandledException(object sender, UnhandledExceptionE
     private static void Main(string[] args)
     {
       // .NET 4.0: Use TLS v1.2. Many download sources no longer support the older and now insecure TLS v1.0/1.1 and SSL v3.
-      ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xc00;
+      try
+      {
+        //TLS 1.2 and 1.3
+        ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xc00 | (SecurityProtocolType)0x3000;
+      }
+      catch (NotSupportedException)
+      {
+        //TLS 1.2 only
+        ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xc00;
+      }
       // Init Common logger -> this will enable TVPlugin to write in the Mediaportal.log file
       var loggerName = Path.GetFileNameWithoutExtension(Environment.GetCommandLineArgs()[0]);
       var dataPath = Log.GetPathName();

diff --git a/mediaportal/Configuration/Startup.cs b/mediaportal/Configuration/Startup.cs
@@ -272,7 +272,16 @@ public static void Main(string[] arguments)
       try
       {
         // .NET 4.0: Use TLS v1.2. Many download sources no longer support the older and now insecure TLS v1.0/1.1 and SSL v3.
-        ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xc00;
+        try
+        {
+          //TLS 1.2 and 1.3
+          ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xc00 | (SecurityProtocolType)0x3000;
+        }
+        catch (NotSupportedException)
+        {
+          //TLS 1.2 only
+          ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xc00;
+        }
         AppDomain.CurrentDomain.AssemblyResolve += new ResolveEventHandler(CurrentDomain_AssemblyResolve);
         Application.EnableVisualStyles();
         Application.DoEvents();

diff --git a/mediaportal/Core/Util/HtmlToText.cs b/mediaportal/Core/Util/HtmlToText.cs
@@ -104,7 +104,16 @@ public class HtmlToText
     public static void Main(string[] args)
     {
       // .NET 4.0: Use TLS v1.2. Many download sources no longer support the older and now insecure TLS v1.0/1.1 and SSL v3.
-      ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xc00;
+      try
+      {
+        //TLS 1.2 and 1.3
+        ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xc00 | (SecurityProtocolType)0x3000;
+      }
+      catch (NotSupportedException)
+      {
+        //TLS 1.2 only
+        ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xc00;
+      }
       Thread.CurrentThread.Name = "HtmlToText";
       HttpWebRequest request = (HttpWebRequest)WebRequest.Create(args[0]);
       try

diff --git a/mediaportal/MPE/MpeInstaller/Program.cs b/mediaportal/MPE/MpeInstaller/Program.cs
@@ -33,7 +33,16 @@ internal static class Program
     private static void Main(string[] args)
     {
       // .NET 4.0: Use TLS v1.2. Many download sources no longer support the older and now insecure TLS v1.0/1.1 and SSL v3.
-      ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xc00;
+      try
+      {
+        //TLS 1.2 and 1.3
+        ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xc00 | (SecurityProtocolType)0x3000;
+      }
+      catch (NotSupportedException)
+      {
+        //TLS 1.2 only
+        ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xc00;
+      }
       Application.EnableVisualStyles();
       Application.SetCompatibleTextRenderingDefault(false);
       if (args.Length > 0)

diff --git a/mediaportal/MPE/MpeMaker/Program.cs b/mediaportal/MPE/MpeMaker/Program.cs
@@ -35,7 +35,16 @@ internal static class Program
     private static void Main(string[] args)
     {
       // .NET 4.0: Use TLS v1.2. Many download sources no longer support the older and now insecure TLS v1.0/1.1 and SSL v3.
-      ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xc00;
+      try
+      {
+        //TLS 1.2 and 1.3
+        ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xc00 | (SecurityProtocolType)0x3000;
+      }
+      catch (NotSupportedException)
+      {
+        //TLS 1.2 only
+        ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xc00;
+      }
       Application.EnableVisualStyles();
       Application.SetCompatibleTextRenderingDefault(false);
       if (args.Length > 0)

diff --git a/mediaportal/MediaPortal.Application/MediaPortal.cs b/mediaportal/MediaPortal.Application/MediaPortal.cs
@@ -511,7 +511,16 @@ public static void Main(string[] args)
     //Application.ApplicationExit += new EventHandler(Application_ApplicationExit);
 
     // .NET 4.0: Use TLS v1.2. Many download sources no longer support the older and now insecure TLS v1.0/1.1 and SSL v3.
-    ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xc00;
+    try
+    {
+      //TLS 1.2 and 1.3
+      ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xc00 | (SecurityProtocolType)0x3000;
+    }
+    catch (NotSupportedException)
+    {
+      //TLS 1.2 only
+      ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xc00;
+    }
 
     using (Settings xmlreader = new MPSettings())
     {

diff --git a/mediaportal/PostSetup/MPRecommendations.cs b/mediaportal/PostSetup/MPRecommendations.cs
@@ -256,7 +256,16 @@ private void InitializeComponent()
     private static void Main(string[] args)
     {
       // .NET 4.0: Use TLS v1.2. Many download sources no longer support the older and now insecure TLS v1.0/1.1 and SSL v3.
-      ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xc00;
+      try
+      {
+        //TLS 1.2 and 1.3
+        ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xc00 | (SecurityProtocolType)0x3000;
+      }
+      catch (NotSupportedException)
+      {
+        //TLS 1.2 only
+        ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xc00;
+      }
       Application.Run(new MPRecommendations(args));
     }