update SSL tests to deal better with disabled protocols

[wfurt]

contributes to #65098
With #64966 I focused on hanging and duration off the run. Since other changes were still in flux I did not get clean test run. This will hopefully produce it on all platforms.

I will keep the issue open as I feel we should do more exploration and perhaps PlatformDetection tweaks but I did not want to keep main with failing tests.

It is also big question to me what would happen if somebody would disable Tls 1.0 and 1.1 on Linux - in way similar to the Azure image configuration.

[ghost]

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

---

contributes to #65098
With #64966 I focused on hanging and duration off the run. Since other changes were still in flux I did not get clean test run. This will hopefully produce it on all platforms.

I will keep the issue open as I feel we should do more exploration and perhaps PlatformDetection tweaks but I did not want to keep main with failing tests.

It is also big question to me what would happen if somebody would disable Tls 1.0 and 1.1 on Linux - in way similar to the Azure image configuration.

Author:	wfurt
Assignees:	wfurt
Labels:	area-System.Net.Security, test enhancement
Milestone:	-

[wfurt]

/azp run runtime-extra-platforms

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[wfurt]

test failures are related. Seems like Linux behaves different way, I'll need to make more updates.

[ManickaP]

I don't mind the check, but this shouldn't happen should it? Based on the checks in ProtocolMismatchData. I'm just trying to make sure I understand this.

[wfurt]

There are two parts. The one side is guarded but the other is not. So we would not start server on unsupported version but the client can be anything.

We could possibly change that as well. We have tests where the client part is set of allowed protocols and the test would work as far as any of them is available. It is also somewhat more complicated as the protocol may not be supported by the SSL stack but on this case the server does support but it is disabled in registry. And when it does, some of the call fail with WIn32Exception. There is also some variations I run into on Linux: The protocols may not be disabled explicitly but all the ciphers suites used by it may - as deemed weak. In that case the API calls succeed but then the negotiation fails with protocol mismatch.

Perhaps we should construct this automatically e.g. create disjoined sets from all supported protocols.

[ManickaP]

Does this correlates anyhow with the new check for IsWindows10Version20348OrGreater in s_supportsNullEncryption?
If so, should it be the same check here as well? Or is this unrelated?

[wfurt]

not necessarily. I'm not sure where the expected PlatformNotSupportedException would come from. On windows when the protocol are disabled in registry we get API failure. I mostly disabled this to pass the test so we have time to investigate. My intention is to stabilize the tests but leave #65098 open so we can investigate more.

[wfurt]

/azp run runtime-extra-platforms

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[wfurt]

/azp run runtime-extra-platforms

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[wfurt]

/azp run runtime-extra-platforms

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[wfurt]

/azp run runtime-extra-platforms

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[rzikm]

Looks okay, but I suggest small verbosity fixes.

[wfurt]

/azp run runtime-extra-platforms

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[wfurt]

/azp run runtime-extra-platforms

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[wfurt]

there is no failure in System.Net.Security. Failures looks like infrastructure or text processing issues.