TLS 1.2 not default in cscript?


(Nick) #1

[Edit: it should be scriptcs in the subject, not cscript. Has been corrected in the text below]

As most everyone (hopefully), we are phasing out support for TLS 1.0 and 1.1.

One of the few issues we encountered was with Octopus scriptcs which executes C# script step templates. The below is NOT regarding communication between Octopus and server and Calamari tentacles.

For a destination http server where support for TLS 1.0 and 1.1 had been disabled, when doing a (HttpWebResponse)request.GetResponse() it would always fail until we added the * * starred * * line below, which is bad practise because what about when TLS 1.3 becomes final?

#r "C:\Windows\System32\inetsrv/Microsoft.Web.Administration.dll";

string targetWebSite = Octopus.Parameters["TargetWebsite"];
string baseUrl = Octopus.Parameters["LocalBaseUrl"];

// Connect to IIS ServerManager 
using (var serverManager = new Microsoft.Web.Administration.ServerManager()) 
	* *ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;* *
  	Microsoft.Web.Administration.Site site = serverManager.Sites[targetWebSite];
	if (site != null)
        foreach (Microsoft.Web.Administration.Application application in site.Applications) 
				if (application.Path.IndexOf("/api/") != -1)
					string url = String.Format("{0}{1}/{2}", baseUrl, application.Path, "ourapplication/cache.aspx?inpClearAll=1");
					Console.WriteLine("url: {0}", url); 
					System.Net.HttpWebRequest request = (System.Net.HttpWebRequest)System.Net.WebRequest.Create(url);
					request.Method = "POST";
					request.ContentLength = 0;
					System.Net.HttpWebResponse response = (HttpWebResponse)request.GetResponse();
					Console.WriteLine("Web Response Status Code : {0}", response.StatusCode.ToString()); 

IMHO this shouldn’t be the case and means that Octopus’ included scriptcs is compiled against an older .Net Framework which, although it does support TLS 1.2, doesn’t have it as default or fallback. Which today it should.

(Henrik Andersson) #2

Hi Nick,

Thanks for getting in touch.

The way we run C# scripts is by invoking scriptcs with your script as-is. So we don’t control what security protocols are enabled by default as that is controlled by scriptcs.

I hope that helps clarify why you need to enable any required security protocols in your script, as you have done.

Thank you and best regards,

(Nick) #3

Hi Henrik,

Yes, but scriptcs is an integral part of Octopus / Calamari, so it is evident from this information that Calamari/Scriptcs is compiled against .Net Framework 4.5 (or lower) while it should be compiled against Net Framework 4.6 or above. That is obviously more under your control than ours, wouldn’t you agree?

Kind regards,

(Henrik Andersson) #4

Hi Nick,

We use pre-compiled scriptcs binaries so we don’t control how it is being compiled (and we’re on the latest version released, their development branch has been updated to .NET 4.6.2 which should have TLS1.2 enabled by default but it hasn’t been released yet).

Both Octopus Server and Calamari enable TLS1.2 (when available), but as C# scripts are run by scriptcs.exe as an external process we can’t enforce that TLS1.2 is enabled (this also stands true for PowerShell, and FSharp I believe). This is why it needs to be enabled in the script that is being run.

Thank you and best regards,

(Nick) #5

Hi Henrik,

Well, all I can say is that it is bad practice that we are forced to explicitly set SecurityProtocolType.Tls12 in our C# (and maybe also PowerShell as you suggest) scripts for Octopus/Calamari.

To ensure .NET Framework applications remain secure, the TLS version should not be hardcoded.
Do not specify the TLS version. Configure your code to let the OS decide on the TLS version.
Perform a thorough code audit to verify you’re not specifying a TLS or SSL version.

Kind regards,