CipherSuitePolicy implementation

[krwq]

No description provided.

[krwq]

remove

[bartonjs]

I'm not sure what the "remove" is for. If it's the file, OK. If it's the license header, no... it should still be around.

[krwq]

I meant the whole file, initially it was doing a bit more but after couple of iterations it ended up being redundant...

[bartonjs]

This seems like a thing that we might want to change later. If I said, TLS 1.2 or TLS 1.3 and then didn't include any TLS 1.3 ciphersuites then the "TLS 1.2" part of the or still seems to apply, just as if the remote didn't support TLS 1.3, or the TLS 1.3 ciphersuites I did.

That said, if the TLS 1.3 rules are "if both sides support TLS 1.3, but can't agree on a ciphersuite, fail", then maybe this is okay?

Exception now and no-exception-later is the happier path, so this is fine if we can't justify my thought experiment.

[krwq]

@bartonjs actually this happens when user wants TLS1.3 (protocols include it) but user specified ciphersuites in such a way that TLS1.3 cannot happen (none TLS 1.3 ciphersuites included in a policy) - so user contradicted themselves

[bartonjs]

so user contradicted themselves

Yeah, I know. The cases where this would come up seem vanishingly small, but the easy one is trying to build something like SslLabs, where you connect, see what ciphersuite got negotiated, remove it from the allow list, and try again. When the last TLS 1.3 ciphersuite gets removed the next call throws.

The throw just means that we're pushing the knowledge of TLS 1.3 vs prior ciphersuites onto the caller. Which, given we are encouraging people to just use system defaults (after configuring their system, if they don't like the out-of-the-box answer), seems okay for now.

[krwq]

I got mixed feelings for that - if user doesn't want to know about TLS 1.3 they should use None for protocols in which case we won't throw.

Perhaps let's leave as is and perhaps change it when someone complains this is not intuitive?

I don't feel strongly either way - allowing this would simplify a code a bit but feels to me that asking for TLS 1.3 and not passing any ciphers which could allow us to do so is a user bug - for scenarios like SslLabs they will have to understand the cipher suites either way...

[bartonjs]

I'm not sure what the "remove" is for. If it's the file, OK. If it's the license header, no... it should still be around.

[krwq]

finally green on the CI. Left:

• apply remaining feedback
• add tests for AllowedCipherSuites property
• double check tests for covering corner cases
• osx implementation

[krwq]

/azp run

[krwq]

test this please

[krwq]

/azp help

[azure-pipelines]

Supported commands
     help:
          Get descriptions, examples and documentation about supported commands
          Example: help "command_name"
     run:
          Run all pipelines or a specific pipeline for this repository using a comment. Use
          this command by itself to trigger all related pipelines, or specify a pipeline
          to run.
          Example: "run" or "run pipeline_name"

See additional documentation.

[krwq]

/azp run corefx-ci

[krwq]

@safern @dotnet/dnceng how do I get this picked up by CI? this has already been running correctly, then it got green and it doesn't get picked up by CI anymore

[safern]

Maybe it is related to it being a draft PR? Can you try closing and reopening?

[krwq]

/azp run

[krwq]

/azp run

[krwq]

/azp run

[krwq]

@safern probably related, but seems we shouldn't be doing anything special for draft PRs, right? people use them to test stuff on CI, everything else I can do locally without opening any PR