AllowRenegotiation default is false
The default value of SslServerAuthenticationOptions.AllowRenegotiation has been changed to false.
Previous behavior
In previous versions, client-side renegotiation was allowed by the server by default.
New behavior
Starting in .NET 7, client-side renegotiation must be explicitly enabled on the server side.
Version introduced
.NET 7
Type of breaking change
This change can affect binary compatibility and source compatibility.
Reason for change
Client-side renegotiation is viewed as insecure by the industry. For example, it has been removed from TLS 1.3 entirely. Therefore, we should disable it by default.
Recommended action
If client-side renegotiation is required, set SslServerAuthenticationOptions.AllowRenegotiation to true when initializing the server side of the SslStream.
Affected APIs
- System.Net.Security.SslServerAuthenticationOptions
- System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate, Boolean, Boolean)
- System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate, Boolean, SslProtocols, Boolean)
- System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate)
Collaborate with us on GitHub
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.
