AllowRenegotiation default is false
The default value of SslServerAuthenticationOptions.AllowRenegotiation has been changed to false.
Previous behavior
In previous versions, client-side renegotiation was allowed by the server by default.
New behavior
Starting in .NET 7, client-side renegotiation must be explicitly enabled on the server side.
Version introduced
.NET 7
Type of breaking change
This change can affect binary compatibility and source compatibility.
Reason for change
Client-side renegotiation is viewed as insecure by the industry. For example, it has been removed from TLS 1.3 entirely. Therefore, we should disable it by default.
Recommended action
If client-side renegotiation is required, set SslServerAuthenticationOptions.AllowRenegotiation to true when initializing the server side of the SslStream.
Affected APIs
- System.Net.Security.SslServerAuthenticationOptions
- System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate, Boolean, Boolean)
- System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate, Boolean, SslProtocols, Boolean)
- System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate)
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for