Add experimental config to disable TLS1.3 (#6025) (#6026)

(cherry picked from commit 9dbd786)

Author: stevejgordon

src/Elasticsearch.Net/Configuration/ConnectionConfiguration.cs

@@ -178,6 +178,7 @@ public abstract class ConnectionConfiguration<T> : IConnectionConfigurationValue
 		public static IMemoryStreamFactory DefaultMemoryStreamFactory { get; } = Elasticsearch.Net.MemoryStreamFactory.Default;
 		private bool _enableThreadPoolStats;
 		private bool _enableApiVersioningHeader;
+		private bool _unsafeDisableTls13;
 
 		private string _userAgent = ConnectionConfiguration.DefaultUserAgent;
 		private readonly Func<HttpMethod, int, bool> _statusCodeToResponseSuccess;
@@ -239,7 +240,6 @@ false when int.TryParse(apiVersioningEnabled, out var isEnabledValue) => isEnabl
 		int? IConnectionConfigurationValues.MaxRetries => _maxRetries;
 		TimeSpan? IConnectionConfigurationValues.MaxRetryTimeout => _maxRetryTimeout;
 		IMemoryStreamFactory IConnectionConfigurationValues.MemoryStreamFactory => _memoryStreamFactory;
-
 		Func<Node, bool> IConnectionConfigurationValues.NodePredicate => _nodePredicate;
 		Action<IApiCallDetails> IConnectionConfigurationValues.OnRequestCompleted => _completedRequestHandler;
 		Action<RequestData> IConnectionConfigurationValues.OnRequestDataCreated => _onRequestDataCreated;
@@ -252,10 +252,8 @@ false when int.TryParse(apiVersioningEnabled, out var isEnabledValue) => isEnabl
 		IElasticsearchSerializer IConnectionConfigurationValues.RequestResponseSerializer => UseThisRequestResponseSerializer;
 		TimeSpan IConnectionConfigurationValues.RequestTimeout => _requestTimeout;
 		TimeSpan IConnectionConfigurationValues.DnsRefreshTimeout => _dnsRefreshTimeout;
-
 		Func<object, X509Certificate, X509Chain, SslPolicyErrors, bool> IConnectionConfigurationValues.ServerCertificateValidationCallback =>
 			_serverCertificateValidationCallback;
-
 		IReadOnlyCollection<int> IConnectionConfigurationValues.SkipDeserializationForStatusCodes => _skipDeserializationForStatusCodes;
 		TimeSpan? IConnectionConfigurationValues.SniffInformationLifeSpan => _sniffLifeSpan;
 		bool IConnectionConfigurationValues.SniffsOnConnectionFault => _sniffOnConnectionFault;
@@ -267,9 +265,9 @@ false when int.TryParse(apiVersioningEnabled, out var isEnabledValue) => isEnabl
 		bool IConnectionConfigurationValues.TransferEncodingChunked => _transferEncodingChunked;
 		bool IConnectionConfigurationValues.EnableTcpStats => _enableTcpStats;
 		bool IConnectionConfigurationValues.EnableThreadPoolStats => _enableThreadPoolStats;
-
 		MetaHeaderProvider IConnectionConfigurationValues.MetaHeaderProvider { get; } = new MetaHeaderProvider();
 		bool IConnectionConfigurationValues.EnableApiVersioningHeader => _enableApiVersioningHeader;
+		bool IConnectionConfigurationValues.UnsafeDisableTls13 => _unsafeDisableTls13;
 
 		void IDisposable.Dispose() => DisposeManagedResources();
 
@@ -620,6 +618,10 @@ public T SkipDeserializationForStatusCodes(params int[] statusCodes) =>
 
 		public T EnableThreadPoolStats(bool enableThreadPoolStats = true) => Assign(enableThreadPoolStats, (a, v) => a._enableThreadPoolStats = v);
 
+		/// <inheritdoc cref="IConnectionConfigurationValues.UnsafeDisableTls13"/>
+		[Obsolete("This API is temporary, experiemental setting and will be removed in a future minor release.")]
+		public T UnsafeDisableTls13(bool disableTls13 = true) => Assign(disableTls13, (a, v) => a._unsafeDisableTls13 = v);
+
 		protected virtual void DisposeManagedResources()
 		{
 			_connectionPool?.Dispose();

src/Elasticsearch.Net/Configuration/IConnectionConfigurationValues.cs

@@ -286,5 +286,17 @@ public interface IConnectionConfigurationValues : IDisposable
 		/// <para> NOTE: You need at least Elasticsearch 7.11 and higher before you can enable this setting on the client</para>
 		/// </summary>
 		bool EnableApiVersioningHeader { get; }
+
+		/// <summary>
+		/// This is an EXPERIMENTAL configuration value which forces the use only of TLS 1.1 and 1.2 during the TLS negotiation. This is a
+		/// temporary workaround for an known TLS negotiation issue with some Cloud regions from Windows 11 for apps targetting .NET 5.0+.
+		/// It should not be used other than to avoid that specific limitation.
+		/// <para>
+		/// This is a temporary, experiemental configuration setting which is likely to be removed in a future release, once the TLS negotiation
+		/// issue is resolved.
+		/// </para>
+		/// </summary>
+		[Obsolete("This API is temporary, experiemental setting and will be removed in a future minor release.")]
+		bool UnsafeDisableTls13 { get; }
 	}
 }

src/Elasticsearch.Net/Connection/HttpConnection.cs

@@ -208,6 +208,14 @@ protected virtual HttpMessageHandler CreateHttpClientHandler(RequestData request
 		{
 			var handler = new HttpClientHandler { AutomaticDecompression = requestData.HttpCompression ? GZip | Deflate : None, };
 
+			// This supports a temporary workaround for https://github.com/elastic/cloud/issues/87734 which disables the use of TLS 1.3.
+#pragma warning disable CS0618 // Type or member is obsolete
+			if (requestData.ConnectionSettings.UnsafeDisableTls13)
+#pragma warning restore CS0618 // Type or member is obsolete
+			{
+				handler.SslProtocols = System.Security.Authentication.SslProtocols.Tls | System.Security.Authentication.SslProtocols.Tls11 | System.Security.Authentication.SslProtocols.Tls12;
+			}
+
 			// same limit as desktop clr
 			if (requestData.ConnectionSettings.ConnectionLimit > 0)
 				try