From 7437a642e966880685f329bae406f35871afdedb Mon Sep 17 00:00:00 2001
From: Stephen Halter <halter73@gmail.com>
Date: Mon, 1 Jun 2020 15:44:36 -0700
Subject: [PATCH 1/3] Use default SslProtocols in Kestrel

---
 src/Servers/Kestrel/Core/src/HttpsConnectionAdapterOptions.cs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Servers/Kestrel/Core/src/HttpsConnectionAdapterOptions.cs b/src/Servers/Kestrel/Core/src/HttpsConnectionAdapterOptions.cs
index 92e80cc8d098..d801316b5f9c 100644
--- a/src/Servers/Kestrel/Core/src/HttpsConnectionAdapterOptions.cs
+++ b/src/Servers/Kestrel/Core/src/HttpsConnectionAdapterOptions.cs
@@ -24,7 +24,6 @@ public class HttpsConnectionAdapterOptions
         public HttpsConnectionAdapterOptions()
         {
             ClientCertificateMode = ClientCertificateMode.NoCertificate;
-            SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11;
             HandshakeTimeout = TimeSpan.FromSeconds(10);
         }
 
@@ -61,7 +60,8 @@ public HttpsConnectionAdapterOptions()
         public Func<X509Certificate2, X509Chain, SslPolicyErrors, bool> ClientCertificateValidation { get; set; }
 
         /// <summary>
-        /// Specifies allowable SSL protocols. Defaults to <see cref="SslProtocols.Tls12" /> and <see cref="SslProtocols.Tls11"/>.
+        /// Specifies allowable SSL protocols. Defaults to <see cref="SslProtocols.None" /> which allows the operating system to choose the best protocol to use,
+        /// and to block protocols that are not secure. Unless your app has a specific reason not to, you should use this default.
         /// </summary>
         public SslProtocols SslProtocols { get; set; }
 

From 9f060803edf63b44d482952813b6b5d055add6c7 Mon Sep 17 00:00:00 2001
From: Stephen Halter <halter73@gmail.com>
Date: Mon, 1 Jun 2020 15:55:34 -0700
Subject: [PATCH 2/3] Fix tests

---
 .../HttpsConnectionMiddlewareTests.cs                        | 3 ++-
 .../Kestrel/test/InMemory.FunctionalTests/HttpsTests.cs      | 5 ++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsConnectionMiddlewareTests.cs b/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsConnectionMiddlewareTests.cs
index 43e557734e87..b32d151a9902 100644
--- a/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsConnectionMiddlewareTests.cs
+++ b/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsConnectionMiddlewareTests.cs
@@ -362,12 +362,13 @@ void ConfigureListenOptions(ListenOptions listenOptions)
         }
 
         [Fact]
-        public async Task DoesNotSupportTls10()
+        public async Task Tls10CanBeDisabled()
         {
             void ConfigureListenOptions(ListenOptions listenOptions)
             {
                 listenOptions.UseHttps(options =>
                 {
+                    options.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11;
                     options.ServerCertificate = _x509Certificate2;
                     options.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
                     options.AllowAnyClientCertificate();
diff --git a/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsTests.cs b/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsTests.cs
index 17b5cae1e16a..f587f0956d63 100644
--- a/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsTests.cs
+++ b/src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsTests.cs
@@ -366,7 +366,10 @@ public async Task ClientAttemptingToUseUnsupportedProtocolIsLoggedAsDebug()
                 new TestServiceContext(LoggerFactory),
                 listenOptions =>
                 {
-                    listenOptions.UseHttps(TestResources.GetTestCertificate("no_extensions.pfx"));
+                    listenOptions.UseHttps(TestResources.GetTestCertificate("no_extensions.pfx"), httpsOptions =>
+                    {
+                        httpsOptions.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11;
+                    });
                 }))
             {
                 using (var connection = server.CreateConnection())

From a15e233cf164fb67fee5acf22dfbe12ca5c537ac Mon Sep 17 00:00:00 2001
From: Stephen Halter <halter73@gmail.com>
Date: Wed, 3 Jun 2020 19:27:04 -0700
Subject: [PATCH 3/3] Log "SslProtocol" after successful handshake

---
 src/Servers/Kestrel/Core/src/CoreStrings.resx                  | 3 +++
 .../Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs   | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/src/Servers/Kestrel/Core/src/CoreStrings.resx b/src/Servers/Kestrel/Core/src/CoreStrings.resx
index 1d270be8ee2d..7f9e97c266d9 100644
--- a/src/Servers/Kestrel/Core/src/CoreStrings.resx
+++ b/src/Servers/Kestrel/Core/src/CoreStrings.resx
@@ -602,4 +602,7 @@ For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?l
   <data name="GreaterThanOrEqualToZeroRequired" xml:space="preserve">
     <value>A value greater than or equal to zero is required.</value>
   </data>
+  <data name="HttpsConnectionEstablished" xml:space="preserve">
+    <value>Connection "{connectionId}" established using the following protocol: {protocol}</value>
+  </data>
 </root>
\ No newline at end of file
diff --git a/src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs b/src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs
index eef77ef82389..473579f2103a 100644
--- a/src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs
+++ b/src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs
@@ -252,6 +252,8 @@ public async Task OnConnectionAsync(ConnectionContext context)
 
             KestrelEventSource.Log.TlsHandshakeStop(context, feature);
 
+            _logger.LogDebug(3, CoreStrings.HttpsConnectionEstablished, context.ConnectionId, sslStream.SslProtocol);
+
             var originalTransport = context.Transport;
 
             try