Add initial support for TLS 1.3 to .NET Core

bartonjs · web-flow · commit d30157d9e48c · 2018-11-12T17:49:05.000-08:00
* TLS 1.3 connections have been tested on Ubuntu 18.10 (OpenSSL 1.1.1).
* There's no public version of Windows with TLS 1.3 enabled.
* There's no public version of macOS with TLS 1.3 enabled out of the box.

When making use of SslProtocols.None (system default) TLS 1.3 is already working on Ubuntu 18.10, this change mainly makes it so that EncryptionPolicy.None is better handled, and that we can restrict-to and report TLS 1.3.
diff --git a/src/Common/src/Interop/Unix/System.Net.Http.Native/Interop.Easy.cs b/src/Common/src/Interop/Unix/System.Net.Http.Native/Interop.Easy.cs
@@ -166,6 +166,7 @@ internal enum CurlSslVersion
             CURL_SSLVERSION_TLSv1_0 = 4, /* TLS 1.0 */
             CURL_SSLVERSION_TLSv1_1 = 5, /* TLS 1.1 */
             CURL_SSLVERSION_TLSv1_2 = 6, /* TLS 1.2 */
+            CURL_SSLVERSION_TLSv1_3 = 7, /* TLS 1.3 */
         };
 
         // Enum for constants defined for the enum CURLINFO in curl.h
diff --git a/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs b/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSsl.cs
@@ -64,6 +64,27 @@ internal static SafeSslHandle AllocateSslContext(SslProtocols protocols, SafeX50
                     throw CreateSslException(SR.net_allocate_ssl_context_failed);
                 }
 
+                // TLS 1.3 uses different ciphersuite restrictions than previous versions.
+                // It has no equivalent to a NoEncryption option.
+                if (policy == EncryptionPolicy.NoEncryption)
+                {
+                    if (protocols == SslProtocols.None)
+                    {
+                        protocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
+                    }
+                    else
+                    {
+                        protocols &= ~SslProtocols.Tls13;
+
+                        if (protocols == SslProtocols.None)
+                        {
+                            throw new SslException(
+                                SR.Format(SR.net_ssl_encryptionpolicy_notsupported, policy));
+                        }
+                    }
+                }
+
+
                 // Configure allowed protocols. It's ok to use DangerousGetHandle here without AddRef/Release as we just
                 // create the handle, it's rooted by the using, no one else has a reference to it, etc.
                 Ssl.SetProtocolOptions(innerContext.DangerousGetHandle(), protocols);
diff --git a/src/Common/src/Interop/Windows/SChannel/Interop.SchProtocols.cs b/src/Common/src/Interop/Windows/SChannel/Interop.SchProtocols.cs
@@ -29,10 +29,14 @@ internal static partial class SChannel
         public const int SP_PROT_TLS1_2_CLIENT = 0x00000800;
         public const int SP_PROT_TLS1_2 = (SP_PROT_TLS1_2_SERVER | SP_PROT_TLS1_2_CLIENT);
 
+        public const int SP_PROT_TLS1_3_SERVER = 0x00001000;
+        public const int SP_PROT_TLS1_3_CLIENT = 0x00002000;
+        public const int SP_PROT_TLS1_3 = (SP_PROT_TLS1_3_SERVER | SP_PROT_TLS1_3_CLIENT);
+
         public const int SP_PROT_NONE = 0;
 
         // These two constants are not taken from schannel.h. 
-        public const int ClientProtocolMask = (SP_PROT_SSL2_CLIENT | SP_PROT_SSL3_CLIENT | SP_PROT_TLS1_0_CLIENT | SP_PROT_TLS1_1_CLIENT | SP_PROT_TLS1_2_CLIENT);
-        public const int ServerProtocolMask = (SP_PROT_SSL2_SERVER | SP_PROT_SSL3_SERVER | SP_PROT_TLS1_0_SERVER | SP_PROT_TLS1_1_SERVER | SP_PROT_TLS1_2_SERVER);
+        public const int ClientProtocolMask = (SP_PROT_SSL2_CLIENT | SP_PROT_SSL3_CLIENT | SP_PROT_TLS1_0_CLIENT | SP_PROT_TLS1_1_CLIENT | SP_PROT_TLS1_2_CLIENT | SP_PROT_TLS1_3_CLIENT);
+        public const int ServerProtocolMask = (SP_PROT_SSL2_SERVER | SP_PROT_SSL3_SERVER | SP_PROT_TLS1_0_SERVER | SP_PROT_TLS1_1_SERVER | SP_PROT_TLS1_2_SERVER | SP_PROT_TLS1_3_SERVER);
     }
 }
diff --git a/src/Common/src/System/Net/SecurityProtocol.cs b/src/Common/src/System/Net/SecurityProtocol.cs
@@ -8,7 +8,11 @@ namespace System.Net
 {
     internal static class SecurityProtocol
     {
-        public const SslProtocols DefaultSecurityProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
+        public const SslProtocols DefaultSecurityProtocols =
+#if !netstandard && !netfx
+            SslProtocols.Tls13 |
+#endif
+            SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
 
         public const SslProtocols SystemDefaultSecurityProtocols = SslProtocols.None;
     }
diff --git a/src/Common/tests/System/Net/Http/LoopbackServer.cs b/src/Common/tests/System/Net/Http/LoopbackServer.cs
@@ -350,7 +350,11 @@ public class Options
             public IPAddress Address { get; set; } = IPAddress.Loopback;
             public int ListenBacklog { get; set; } = 1;
             public bool UseSsl { get; set; } = false;
-            public SslProtocols SslProtocols { get; set; } = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
+            public SslProtocols SslProtocols { get; set; } =
+#if !netstandard
+                SslProtocols.Tls13 |
+#endif
+                SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
             public bool WebSocketEndpoint { get; set; } = false;
             public Func<Stream, Stream> StreamWrapper { get; set; }
             public string Username { get; set; }
diff --git a/src/Common/tests/System/Net/SslProtocolSupport.cs b/src/Common/tests/System/Net/SslProtocolSupport.cs
@@ -11,7 +11,11 @@ namespace System.Net.Test.Common
 {
     public class SslProtocolSupport
     {
-        public const SslProtocols DefaultSslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;
+        public const SslProtocols DefaultSslProtocols =
+#if !netstandard
+            SslProtocols.Tls13 |
+#endif
+            SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;
 
         public static SslProtocols SupportedSslProtocols
         {
@@ -26,6 +30,13 @@ public static SslProtocols SupportedSslProtocols
                     supported |= SslProtocols.Ssl3;
                 }
 #pragma warning restore 0618
+#if !netstandard
+                // TLS 1.3 is new
+                if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux) && PlatformDetection.OpenSslVersion >= new Version(1, 1, 1))
+                {
+                    supported |= SslProtocols.Tls13;
+                }
+#endif
                 return supported;
             }
         }
diff --git a/src/CoreFx.Private.TestUtilities/ref/CoreFx.Private.TestUtilities.cs b/src/CoreFx.Private.TestUtilities/ref/CoreFx.Private.TestUtilities.cs
@@ -102,6 +102,7 @@ public static partial class PlatformDetection
         public static bool IsUbuntu1710 { get { throw null; } }
         public static bool IsUbuntu1710OrHigher { get { throw null; } }
         public static bool IsUbuntu1804 { get { throw null; } }
+        public static bool IsUbuntu1810OrHigher { get { throw null; } }
         public static bool IsWindows { get { throw null; } }
         public static bool IsWindows10Version1607OrGreater { get { throw null; } } // >= Windows 10 Anniversary Update
         public static bool IsWindows10Version1703OrGreater { get { throw null; } } // >= Windows 10 Creators Update
diff --git a/src/CoreFx.Private.TestUtilities/src/System/PlatformDetection.Unix.cs b/src/CoreFx.Private.TestUtilities/src/System/PlatformDetection.Unix.cs
@@ -38,6 +38,7 @@ public static partial class PlatformDetection
         public static bool IsUbuntu1710 => IsDistroAndVersion("ubuntu", 17, 10);
         public static bool IsUbuntu1710OrHigher => IsDistroAndVersionOrHigher("ubuntu", 17, 10);
         public static bool IsUbuntu1804 => IsDistroAndVersion("ubuntu", 18, 04);
+        public static bool IsUbuntu1810OrHigher => IsDistroAndVersionOrHigher("ubuntu", 18, 10);
         public static bool IsTizen => IsDistroAndVersion("tizen");
         public static bool IsFedora => IsDistroAndVersion("fedora");
         public static bool IsWindowsNanoServer => false;
@@ -213,10 +214,10 @@ private static bool VersionEquivalentToOrHigher(int major, int minor, int build,
             return
                 VersionEquivalentTo(major, minor, build, revision, actualVersionId) ||
                     (actualVersionId.Major > major ||
-                        (actualVersionId.Major == major && actualVersionId.Minor > minor ||
-                            (actualVersionId.Minor == minor && actualVersionId.Build > build ||
-                                (actualVersionId.Build == build && actualVersionId.Revision > revision ||
-                                    (actualVersionId.Revision == revision)))));
+                        (actualVersionId.Major == major && (actualVersionId.Minor > minor ||
+                            (actualVersionId.Minor == minor && (actualVersionId.Build > build ||
+                                (actualVersionId.Build == build && (actualVersionId.Revision > revision ||
+                                    (actualVersionId.Revision == revision))))))));
         }
 
         private static Version GetOSXProductVersion()
diff --git a/src/CoreFx.Private.TestUtilities/src/System/PlatformDetection.Windows.cs b/src/CoreFx.Private.TestUtilities/src/System/PlatformDetection.Windows.cs
@@ -29,6 +29,7 @@ public static partial class PlatformDetection
         public static bool IsUbuntu1710 => false;
         public static bool IsUbuntu1710OrHigher => false;
         public static bool IsUbuntu1804 => false;
+        public static bool IsUbuntu1810OrHigher => false;
         public static bool IsTizen => false;
         public static bool IsNotFedoraOrRedHatFamily => true;
         public static bool IsFedora => false;
diff --git a/src/Native/Unix/System.Security.Cryptography.Native.Apple/pal_ssl.c b/src/Native/Unix/System.Security.Cryptography.Native.Apple/pal_ssl.c
@@ -5,6 +5,9 @@
 #include "pal_ssl.h"
 #include <dlfcn.h>
 
+// TLS 1.3 is only defined with 10.13 headers, but we build on 10.12
+#define kTLSProtocol13_ForwardDef 10
+
 // 10.13.4 introduced public API but linking would fail on all prior versions.
 // For that reason we use function pointers instead of direct call.
 // This can be revisited after we drop support for 10.12.
@@ -31,6 +34,8 @@ static SSLProtocol PalSslProtocolToSslProtocol(PAL_SslProtocol palProtocolId)
 {
     switch (palProtocolId)
     {
+        case PAL_SslProtocol_Tls13:
+            return kTLSProtocol13_ForwardDef;
         case PAL_SslProtocol_Tls12:
             return kTLSProtocol12;
         case PAL_SslProtocol_Tls11:
@@ -419,7 +424,9 @@ int32_t AppleCryptoNative_SslGetProtocolVersion(SSLContextRef sslContext, PAL_Ss
     {
         PAL_SslProtocol matchedProtocol = PAL_SslProtocol_None;
 
-        if (protocol == kTLSProtocol12)
+        if (protocol == kTLSProtocol13_ForwardDef)
+            matchedProtocol = PAL_SslProtocol_Tls13;
+        else if (protocol == kTLSProtocol12)
             matchedProtocol = PAL_SslProtocol_Tls12;
         else if (protocol == kTLSProtocol11)
             matchedProtocol = PAL_SslProtocol_Tls11;
diff --git a/src/Native/Unix/System.Security.Cryptography.Native.Apple/pal_ssl.h b/src/Native/Unix/System.Security.Cryptography.Native.Apple/pal_ssl.h
@@ -35,6 +35,7 @@ enum
     PAL_SslProtocol_Tls10 = 192,
     PAL_SslProtocol_Tls11 = 768,
     PAL_SslProtocol_Tls12 = 3072,
+    PAL_SslProtocol_Tls13 = 12288,
 };
 typedef int32_t PAL_SslProtocol;
 
diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_ssl.c b/src/Native/Unix/System.Security.Cryptography.Native/pal_ssl.c
@@ -147,7 +147,10 @@ void CryptoNative_SetProtocolOptions(SSL_CTX* ctx, SslProtocols protocols)
 #ifndef SSL_OP_NO_TLSv1_3
 #define SSL_OP_NO_TLSv1_3 0x20000000U
 #endif
-    protocolOptions |= SSL_OP_NO_TLSv1_3;
+    if ((protocols & PAL_SSL_TLS13) != PAL_SSL_TLS13)
+    {
+        protocolOptions |= SSL_OP_NO_TLSv1_3;
+    }
 
     // OpenSSL 1.0 calls this long, OpenSSL 1.1 calls it unsigned long.
 #pragma clang diagnostic push
diff --git a/src/Native/Unix/System.Security.Cryptography.Native/pal_ssl.h b/src/Native/Unix/System.Security.Cryptography.Native/pal_ssl.h
@@ -16,7 +16,8 @@ typedef enum
     PAL_SSL_SSL3 = 48,
     PAL_SSL_TLS = 192,
     PAL_SSL_TLS11 = 768,
-    PAL_SSL_TLS12 = 3072
+    PAL_SSL_TLS12 = 3072,
+    PAL_SSL_TLS13 = 12288,
 } SslProtocols;
 
 /*
diff --git a/src/System.Net.Http.WinHttpHandler/src/System.Net.Http.WinHttpHandler.csproj b/src/System.Net.Http.WinHttpHandler/src/System.Net.Http.WinHttpHandler.csproj
@@ -11,6 +11,9 @@
     <ILLinkClearInitLocals>true</ILLinkClearInitLocals>
     <Configurations>net461-Windows_NT-Debug;net461-Windows_NT-Release;netfx-Windows_NT-Debug;netfx-Windows_NT-Release;netstandard-Debug;netstandard-Release;netstandard-Windows_NT-Debug;netstandard-Windows_NT-Release</Configurations>
   </PropertyGroup>
+  <PropertyGroup Condition="'$(TargetGroup)' == 'net461'">
+    <DefineConstants>$(DefineConstants);netfx</DefineConstants>
+  </PropertyGroup>
   <Import Project="System.Net.Http.WinHttpHandler.msbuild" Condition="'$(TargetsWindows)' == 'true'" />
   <ItemGroup Condition="'$(TargetGroup)' == 'net46' OR '$(TargetGroup)' == 'net461'">
     <!-- Need to compile it here since the NET46 target here is building against System.Runtime whereas the
@@ -61,4 +64,4 @@
     <Reference Include="System.Threading" />
     <Reference Include="System.Threading.Tasks" />
   </ItemGroup>
-</Project>
+</Project>
diff --git a/src/System.Net.Http.WinHttpHandler/src/System/Net/Http/WinHttpHandler.cs b/src/System.Net.Http.WinHttpHandler/src/System/Net/Http/WinHttpHandler.cs
@@ -979,6 +979,17 @@ private void SetSessionHandleTlsOptions(SafeWinHttpHandle sessionHandle)
                 optionData |= Interop.WinHttp.WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2;
             }
 
+            // As of Win10RS5 there's no public constant for WinHTTP + TLS 1.3
+            // This library builds against netstandard, which doesn't define the Tls13 enum field.
+
+            // If only unknown values (e.g. TLS 1.3) were asked for, report ERROR_INVALID_PARAMETER.
+            if (optionData == 0)
+            {
+                throw WinHttpException.CreateExceptionUsingError(
+                    unchecked((int)Interop.WinHttp.ERROR_INVALID_PARAMETER),
+                    nameof(SetSessionHandleTlsOptions));
+            }
+
             SetWinHttpOption(sessionHandle, Interop.WinHttp.WINHTTP_OPTION_SECURE_PROTOCOLS, ref optionData);
         }
 
diff --git a/src/System.Net.Http/src/System/Net/Http/CurlHandler/CurlHandler.SslProvider.Linux.cs b/src/System.Net.Http/src/System/Net/Http/CurlHandler/CurlHandler.SslProvider.Linux.cs
@@ -233,8 +233,12 @@ private static void SetSslOptionsForUnsupportedBackend(EasyRequest easy, ClientC
                     case SslProtocols.Tls12:
                         curlSslVersion = Interop.Http.CurlSslVersion.CURL_SSLVERSION_TLSv1_2;
                         break;
+                    case SslProtocols.Tls13:
+                        curlSslVersion = Interop.Http.CurlSslVersion.CURL_SSLVERSION_TLSv1_3;
+                        break;
 
                     case SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12:
+                    case SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12 | SslProtocols.Tls13:
                         curlSslVersion = Interop.Http.CurlSslVersion.CURL_SSLVERSION_TLSv1;
                         break;
 
diff --git a/src/System.Net.Http/src/System/Net/Http/CurlHandler/CurlHandler.SslProvider.OSX.cs b/src/System.Net.Http/src/System/Net/Http/CurlHandler/CurlHandler.SslProvider.OSX.cs
@@ -125,8 +125,12 @@ private static void SetSslVersion(EasyRequest easy)
                     case SslProtocols.Tls12:
                         curlSslVersion = Interop.Http.CurlSslVersion.CURL_SSLVERSION_TLSv1_2;
                         break;
+                    case SslProtocols.Tls13:
+                        curlSslVersion = Interop.Http.CurlSslVersion.CURL_SSLVERSION_TLSv1_3;
+                        break;
 
                     case SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12:
+                    case SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12 | SslProtocols.Tls13:
                         curlSslVersion = Interop.Http.CurlSslVersion.CURL_SSLVERSION_TLSv1;
                         break;
 
diff --git a/src/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.AcceptAllCerts.cs b/src/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.AcceptAllCerts.cs
@@ -29,6 +29,8 @@ public void SingletonReturnsTrue()
         [InlineData(SslProtocols.Tls, true)]
         [InlineData(SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, false)]
         [InlineData(SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, true)]
+        [InlineData(SslProtocols.Tls13 | SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, false)]
+        [InlineData(SslProtocols.Tls13 | SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, true)]
         [InlineData(SslProtocols.None, false)]
         [InlineData(SslProtocols.None, true)]
         public async Task SetDelegate_ConnectionSucceeds(SslProtocols acceptedProtocol, bool requestOnlyThisProtocol)
diff --git a/src/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.SslProtocols.cs b/src/System.Net.Http/tests/FunctionalTests/HttpClientHandlerTest.SslProtocols.cs
@@ -37,6 +37,13 @@ public void DefaultProtocols_MatchesExpected()
         [InlineData(SslProtocols.Tls11 | SslProtocols.Tls12)]
         [InlineData(SslProtocols.Tls | SslProtocols.Tls12)]
         [InlineData(SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12)]
+#if !netstandard
+        [InlineData(SslProtocols.Tls13)]
+        [InlineData(SslProtocols.Tls11 | SslProtocols.Tls13)]
+        [InlineData(SslProtocols.Tls12 | SslProtocols.Tls13)]
+        [InlineData(SslProtocols.Tls | SslProtocols.Tls13)]
+        [InlineData(SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12 | SslProtocols.Tls13)]
+#endif
         public void SetGetProtocols_Roundtrips(SslProtocols protocols)
         {
             using (HttpClientHandler handler = CreateHttpClientHandler())
@@ -97,6 +104,14 @@ public static IEnumerable<object[]> GetAsync_AllowedSSLVersion_Succeeds_MemberDa
                 yield return new object[] { SslProtocols.Ssl2, true };
             }
 #pragma warning restore 0618
+#if !netstandard
+            // These protocols are new, and might not be enabled everywhere yet
+            if (PlatformDetection.IsUbuntu1810OrHigher)
+            {
+                yield return new object[] { SslProtocols.Tls13, false };
+                yield return new object[] { SslProtocols.Tls13, true };
+            }
+#endif
         }
 
         [Theory]
diff --git a/src/System.Net.Primitives/ref/System.Net.Primitives.cs b/src/System.Net.Primitives/ref/System.Net.Primitives.cs
@@ -508,6 +508,7 @@ public enum SslProtocols
         Tls = 192,
         Tls11 = 768,
         Tls12 = 3072,
+        Tls13 = 12288,
         [Obsolete("This value has been deprecated.  It is no longer supported. https://go.microsoft.com/fwlink/?linkid=14202")]
         Default = Ssl3 | Tls
     }
diff --git a/src/System.Net.Primitives/src/System/Net/SecureProtocols/SslEnumTypes.cs b/src/System.Net.Primitives/src/System/Net/SecureProtocols/SslEnumTypes.cs
@@ -16,6 +16,7 @@ public enum SslProtocols
         Tls = Interop.SChannel.SP_PROT_TLS1_0,
         Tls11 = Interop.SChannel.SP_PROT_TLS1_1,
         Tls12 = Interop.SChannel.SP_PROT_TLS1_2,
+        Tls13 = Interop.SChannel.SP_PROT_TLS1_3,
         Default = Ssl3 | Tls
     }
 
diff --git a/src/System.Net.Security/src/System/Net/Security/SslConnectionInfo.Unix.cs b/src/System.Net.Security/src/System/Net/Security/SslConnectionInfo.Unix.cs
@@ -59,6 +59,8 @@ private SslProtocols MapProtocolVersion(string protocolVersion)
                     return SslProtocols.Tls11;
                 case "TLSv1.2":
                     return SslProtocols.Tls12;
+                case "TLSv1.3":
+                    return SslProtocols.Tls13;
                 default:
                     return SslProtocols.None;
             }
diff --git a/src/System.Net.Security/src/System/Net/Security/SslState.cs b/src/System.Net.Security/src/System/Net/Security/SslState.cs
@@ -376,6 +376,11 @@ internal SslProtocols SslProtocol
                     ret |= SslProtocols.Tls12;
                 }
 
+                if ((proto & SslProtocols.Tls13) != 0)
+                {
+                    ret |= SslProtocols.Tls13;
+                }
+
                 return ret;
             }
         }
diff --git a/src/System.Net.ServicePoint/ref/System.Net.ServicePoint.cs b/src/System.Net.ServicePoint/ref/System.Net.ServicePoint.cs
@@ -62,5 +62,6 @@ public enum SecurityProtocolType
         Tls = System.Security.Authentication.SslProtocols.Tls,
         Tls11 = System.Security.Authentication.SslProtocols.Tls11,
         Tls12 = System.Security.Authentication.SslProtocols.Tls12,
+        Tls13 = System.Security.Authentication.SslProtocols.Tls13,
     }
 }
diff --git a/src/System.Net.ServicePoint/src/System/Net/SecurityProtocolType.cs b/src/System.Net.ServicePoint/src/System/Net/SecurityProtocolType.cs
@@ -16,5 +16,6 @@ public enum SecurityProtocolType
         Tls = SslProtocols.Tls,
         Tls11 = SslProtocols.Tls11,
         Tls12 = SslProtocols.Tls12,
+        Tls13 = SslProtocols.Tls13,
     }
 }
diff --git a/src/System.Net.ServicePoint/src/System/Net/ServicePointManager.cs b/src/System.Net.ServicePoint/src/System/Net/ServicePointManager.cs
@@ -36,7 +36,7 @@ public static SecurityProtocolType SecurityProtocol
 
         private static void ValidateSecurityProtocol(SecurityProtocolType value)
         {
-            SecurityProtocolType allowed = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
+            SecurityProtocolType allowed = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12 | SecurityProtocolType.Tls13;
             if ((value & ~allowed) != 0)
             {
                 throw new NotSupportedException(SR.net_securityprotocolnotsupported);

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,11 @@ namespace System.Net`
`8`	`8`	`{`
`9`	`9`	`internal static class SecurityProtocol`
`10`	`10`	`{`
`11`		`- public const SslProtocols DefaultSecurityProtocols = SslProtocols.Tls \| SslProtocols.Tls11 \| SslProtocols.Tls12;`
	`11`	`+ public const SslProtocols DefaultSecurityProtocols =`
	`12`	`+#if !netstandard && !netfx`
	`13`	`+ SslProtocols.Tls13 \|`
	`14`	`+#endif`
	`15`	`+ SslProtocols.Tls \| SslProtocols.Tls11 \| SslProtocols.Tls12;`
`12`	`16`
`13`	`17`	`public const SslProtocols SystemDefaultSecurityProtocols = SslProtocols.None;`
`14`	`18`	`}`
Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,11 @@ namespace System.Net.Test.Common`
`11`	`11`	`{`
`12`	`12`	`public class SslProtocolSupport`
`13`	`13`	`{`
`14`		`- public const SslProtocols DefaultSslProtocols = SslProtocols.Tls12 \| SslProtocols.Tls11 \| SslProtocols.Tls;`
	`14`	`+ public const SslProtocols DefaultSslProtocols =`
	`15`	`+#if !netstandard`
	`16`	`+ SslProtocols.Tls13 \|`
	`17`	`+#endif`
	`18`	`+ SslProtocols.Tls12 \| SslProtocols.Tls11 \| SslProtocols.Tls;`
`15`	`19`
`16`	`20`	`public static SslProtocols SupportedSslProtocols`
`17`	`21`	`{`
`@@ -26,6 +30,13 @@ public static SslProtocols SupportedSslProtocols`
`26`	`30`	`supported \|= SslProtocols.Ssl3;`
`27`	`31`	`}`
`28`	`32`	`#pragma warning restore 0618`
	`33`	`+#if !netstandard`
	`34`	`+ // TLS 1.3 is new`
	`35`	`+ if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux) && PlatformDetection.OpenSslVersion >= new Version(1, 1, 1))`
	`36`	`+ {`
	`37`	`+ supported \|= SslProtocols.Tls13;`
	`38`	`+ }`
	`39`	`+#endif`
`29`	`40`	`return supported;`
`30`	`41`	`}`
`31`	`42`	`}`
Original file line number	Diff line number	Diff line change
`@@ -508,6 +508,7 @@ public enum SslProtocols`
`508`	`508`	`Tls = 192,`
`509`	`509`	`Tls11 = 768,`
`510`	`510`	`Tls12 = 3072,`
	`511`	`+ Tls13 = 12288,`
`511`	`512`	`[Obsolete("This value has been deprecated. It is no longer supported. https://go.microsoft.com/fwlink/?linkid=14202")]`
`512`	`513`	`Default = Ssl3 \| Tls`
`513`	`514`	`}`
Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@ public enum SslProtocols`
`16`	`16`	`Tls = Interop.SChannel.SP_PROT_TLS1_0,`
`17`	`17`	`Tls11 = Interop.SChannel.SP_PROT_TLS1_1,`
`18`	`18`	`Tls12 = Interop.SChannel.SP_PROT_TLS1_2,`
	`19`	`+ Tls13 = Interop.SChannel.SP_PROT_TLS1_3,`
`19`	`20`	`Default = Ssl3 \| Tls`
`20`	`21`	`}`
`21`	`22`
Original file line number	Diff line number	Diff line change
`@@ -59,6 +59,8 @@ private SslProtocols MapProtocolVersion(string protocolVersion)`
`59`	`59`	`return SslProtocols.Tls11;`
`60`	`60`	`case "TLSv1.2":`
`61`	`61`	`return SslProtocols.Tls12;`
	`62`	`+ case "TLSv1.3":`
	`63`	`+ return SslProtocols.Tls13;`
`62`	`64`	`default:`
`63`	`65`	`return SslProtocols.None;`
`64`	`66`	`}`
Original file line number	Diff line number	Diff line change
`@@ -376,6 +376,11 @@ internal SslProtocols SslProtocol`
`376`	`376`	`ret \|= SslProtocols.Tls12;`
`377`	`377`	`}`
`378`	`378`
	`379`	`+ if ((proto & SslProtocols.Tls13) != 0)`
	`380`	`+ {`
	`381`	`+ ret \|= SslProtocols.Tls13;`
	`382`	`+ }`
	`383`	`+`
`379`	`384`	`return ret;`
`380`	`385`	`}`
`381`	`386`	`}`
Original file line number	Diff line number	Diff line change
`@@ -62,5 +62,6 @@ public enum SecurityProtocolType`
`62`	`62`	`Tls = System.Security.Authentication.SslProtocols.Tls,`
`63`	`63`	`Tls11 = System.Security.Authentication.SslProtocols.Tls11,`
`64`	`64`	`Tls12 = System.Security.Authentication.SslProtocols.Tls12,`
	`65`	`+ Tls13 = System.Security.Authentication.SslProtocols.Tls13,`
`65`	`66`	`}`
`66`	`67`	`}`
Original file line number	Diff line number	Diff line change
`@@ -16,5 +16,6 @@ public enum SecurityProtocolType`
`16`	`16`	`Tls = SslProtocols.Tls,`
`17`	`17`	`Tls11 = SslProtocols.Tls11,`
`18`	`18`	`Tls12 = SslProtocols.Tls12,`
	`19`	`+ Tls13 = SslProtocols.Tls13,`
`19`	`20`	`}`
`20`	`21`	`}`
Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ public static SecurityProtocolType SecurityProtocol`
`36`	`36`
`37`	`37`	`private static void ValidateSecurityProtocol(SecurityProtocolType value)`
`38`	`38`	`{`
`39`		`- SecurityProtocolType allowed = SecurityProtocolType.Tls \| SecurityProtocolType.Tls11 \| SecurityProtocolType.Tls12;`
	`39`	`+ SecurityProtocolType allowed = SecurityProtocolType.Tls \| SecurityProtocolType.Tls11 \| SecurityProtocolType.Tls12 \| SecurityProtocolType.Tls13;`
`40`	`40`	`if ((value & ~allowed) != 0)`
`41`	`41`	`{`
`42`	`42`	`throw new NotSupportedException(SR.net_securityprotocolnotsupported);`