Allow developers to override the allowed SSL protocols for IMAP, POP3, and SMTP

Fixes issue #229

Author: jstedfast

MailKit/MailService.cs

@@ -33,6 +33,7 @@
 #if !NETFX_CORE
 using System.Net.Security;
 using System.Security.Cryptography.X509Certificates;
+using SslProtocols = System.Security.Authentication.SslProtocols;
 #endif
 
 using MailKit.Security;
@@ -46,6 +47,12 @@ namespace MailKit {
 	/// </remarks>
 	public abstract class MailService : IMailService
 	{
+#if NET_4_5 || __MOBILE__
+		const SslProtocols DefaultSslProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
+#elif !NETFX_CORE
+		const SslProtocols DefaultSslProtocols = SslProtocols.Tls;
+#endif
+
 		/// <summary>
 		/// Initializes a new instance of the <see cref="MailKit.MailService"/> class.
 		/// </summary>
@@ -61,9 +68,21 @@ protected MailService (IProtocolLogger protocolLogger)
 			if (protocolLogger == null)
 				throw new ArgumentNullException ("protocolLogger");
 
+			SslProtocols = DefaultSslProtocols;
 			ProtocolLogger = protocolLogger;
 		}
 
+		/// <summary>
+		/// Initializes a new instance of the <see cref="MailKit.MailService"/> class.
+		/// </summary>
+		/// <remarks>
+		/// Initializes a new instance of the <see cref="MailKit.MailService"/> class.
+		/// </remarks>
+		protected MailService ()
+		{
+			SslProtocols = DefaultSslProtocols;
+		}
+
 		/// <summary>
 		/// Releases unmanaged resources and performs other cleanup operations before the
 		/// <see cref="MailService"/> is reclaimed by garbage collection.
@@ -113,6 +132,19 @@ public IProtocolLogger ProtocolLogger {
 		}
 
 #if !NETFX_CORE
+		/// <summary>
+		/// Gets or sets the SSL/TLS protocols that the client is allowed to use.
+		/// </summary>
+		/// <remarks>
+		/// <para>Gets or sets the SSL/TLS protocols that the client is allowed to use.</para>
+		/// <para>This property should be set before calling any of the
+		/// <a href="Overload_MailKit_MailService_Connect.htm">Connect</a> methods.</para>
+		/// </remarks>
+		/// <value>The ssl protocols.</value>
+		public SslProtocols SslProtocols {
+			get; set;
+		}
+
 		/// <summary>
 		/// Gets or sets the client SSL certificates.
 		/// </summary>

MailKit/Net/Imap/ImapClient.cs

@@ -42,7 +42,6 @@
 using System.Net.Sockets;
 using System.Net.Security;
 using System.Security.Cryptography.X509Certificates;
-using SslProtocols = System.Security.Authentication.SslProtocols;
 #endif
 
 using MailKit.Security;
@@ -67,11 +66,6 @@ public class ImapClient : MailStore
 	{
 		static readonly char[] ReservedUriCharacters = new [] { ';', '/', '?', ':', '@', '&', '=', '+', '$', ',' };
 		const string HexAlphabet = "0123456789ABCDEF";
-#if NET_4_5 || __MOBILE__
-		const SslProtocols DefaultSslProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
-#elif !NETFX_CORE
-		const SslProtocols DefaultSslProtocols = SslProtocols.Tls;
-#endif
 		readonly ImapEngine engine;
 #if NETFX_CORE
 		StreamSocket socket;
@@ -1196,7 +1190,7 @@ static void ComputeDefaultValues (string host, ref int port, ref SecureSocketOpt
 
 			if (options == SecureSocketOptions.SslOnConnect) {
 				var ssl = new SslStream (new NetworkStream (socket, true), false, ValidateRemoteCertificate);
-				ssl.AuthenticateAsClient (host, ClientCertificates, DefaultSslProtocols, true);
+				ssl.AuthenticateAsClient (host, ClientCertificates, SslProtocols, true);
 				stream = ssl;
 			} else {
 				stream = new NetworkStream (socket, true);
@@ -1246,7 +1240,7 @@ static void ComputeDefaultValues (string host, ref int port, ref SecureSocketOpt
 					if (ic.Response == ImapCommandResponse.Ok) {
 #if !NETFX_CORE
 						var tls = new SslStream (stream, false, ValidateRemoteCertificate);
-						tls.AuthenticateAsClient (host, ClientCertificates, DefaultSslProtocols, true);
+						tls.AuthenticateAsClient (host, ClientCertificates, SslProtocols, true);
 						engine.Stream.Stream = tls;
 #else
 						socket.UpgradeToSslAsync (SocketProtectionLevel.Tls12, new HostName (host))
@@ -1363,7 +1357,7 @@ static void ComputeDefaultValues (string host, ref int port, ref SecureSocketOpt
 
 			if (options == SecureSocketOptions.SslOnConnect) {
 				var ssl = new SslStream (new NetworkStream (socket, true), false, ValidateRemoteCertificate);
-				ssl.AuthenticateAsClient (host, ClientCertificates, DefaultSslProtocols, true);
+				ssl.AuthenticateAsClient (host, ClientCertificates, SslProtocols, true);
 				stream = ssl;
 			} else {
 				stream = new NetworkStream (socket, true);
@@ -1393,7 +1387,7 @@ static void ComputeDefaultValues (string host, ref int port, ref SecureSocketOpt
 
 					if (ic.Response == ImapCommandResponse.Ok) {
 						var tls = new SslStream (stream, false, ValidateRemoteCertificate);
-						tls.AuthenticateAsClient (host, ClientCertificates, DefaultSslProtocols, true);
+						tls.AuthenticateAsClient (host, ClientCertificates, SslProtocols, true);
 						engine.Stream.Stream = tls;
 
 						// Query the CAPABILITIES again if the server did not include an

MailKit/Net/Pop3/Pop3Client.cs

@@ -45,7 +45,6 @@
 using System.Net.Security;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
-using SslProtocols = System.Security.Authentication.SslProtocols;
 using MD5 = System.Security.Cryptography.MD5CryptoServiceProvider;
 #endif
 
@@ -69,12 +68,6 @@ namespace MailKit.Net.Pop3 {
 	/// </example>
 	public class Pop3Client : MailSpool
 	{
-#if NET_4_5 || __MOBILE__
-		const SslProtocols DefaultSslProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
-#elif !NETFX_CORE
-		const SslProtocols DefaultSslProtocols = SslProtocols.Tls;
-#endif
-
 		[Flags]
 		enum ProbedCapabilities : byte {
 			None   = 0,
@@ -779,7 +772,7 @@ static void ComputeDefaultValues (string host, ref int port, ref SecureSocketOpt
 
 			if (options == SecureSocketOptions.SslOnConnect) {
 				var ssl = new SslStream (new NetworkStream (socket, true), false, ValidateRemoteCertificate);
-				ssl.AuthenticateAsClient (host, ClientCertificates, DefaultSslProtocols, true);
+				ssl.AuthenticateAsClient (host, ClientCertificates, SslProtocols, true);
 				stream = ssl;
 			} else {
 				stream = new NetworkStream (socket, true);
@@ -824,7 +817,7 @@ static void ComputeDefaultValues (string host, ref int port, ref SecureSocketOpt
 
 #if !NETFX_CORE
 					var tls = new SslStream (stream, false, ValidateRemoteCertificate);
-					tls.AuthenticateAsClient (host, ClientCertificates, DefaultSslProtocols, true);
+					tls.AuthenticateAsClient (host, ClientCertificates, SslProtocols, true);
 					engine.Stream.Stream = tls;
 #else
 					socket.UpgradeToSslAsync (SocketProtectionLevel.Tls12, new HostName (host))
@@ -939,7 +932,7 @@ static void ComputeDefaultValues (string host, ref int port, ref SecureSocketOpt
 
 			if (options == SecureSocketOptions.SslOnConnect) {
 				var ssl = new SslStream (new NetworkStream (socket, true), false, ValidateRemoteCertificate);
-				ssl.AuthenticateAsClient (host, ClientCertificates, DefaultSslProtocols, true);
+				ssl.AuthenticateAsClient (host, ClientCertificates, SslProtocols, true);
 				stream = ssl;
 			} else {
 				stream = new NetworkStream (socket, true);
@@ -965,7 +958,7 @@ static void ComputeDefaultValues (string host, ref int port, ref SecureSocketOpt
 					SendCommand (cancellationToken, "STLS");
 
 					var tls = new SslStream (stream, false, ValidateRemoteCertificate);
-					tls.AuthenticateAsClient (host, ClientCertificates, DefaultSslProtocols, true);
+					tls.AuthenticateAsClient (host, ClientCertificates, SslProtocols, true);
 					engine.Stream.Stream = tls;
 
 					// re-issue a CAPA command

MailKit/Net/Smtp/SmtpClient.cs

@@ -45,7 +45,6 @@
 using System.Net.Sockets;
 using System.Net.Security;
 using System.Security.Cryptography.X509Certificates;
-using SslProtocols = System.Security.Authentication.SslProtocols;
 #endif
 
 using MailKit.Security;
@@ -70,11 +69,6 @@ namespace MailKit.Net.Smtp {
 	/// </example>
 	public class SmtpClient : MailTransport
 	{
-#if NET_4_5 || __MOBILE__
-		const SslProtocols DefaultSslProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
-#elif !NETFX_CORE
-		const SslProtocols DefaultSslProtocols = SslProtocols.Tls;
-#endif
 		static readonly byte[] EndData = Encoding.ASCII.GetBytes ("\r\n.\r\n");
 		const int MaxLineLength = 998;
 
@@ -810,7 +804,7 @@ static void ComputeDefaultValues (string host, ref int port, ref SecureSocketOpt
 
 			if (options == SecureSocketOptions.SslOnConnect) {
 				var ssl = new SslStream (new NetworkStream (socket, true), false, ValidateRemoteCertificate);
-				ssl.AuthenticateAsClient (host, ClientCertificates, DefaultSslProtocols, true);
+				ssl.AuthenticateAsClient (host, ClientCertificates, SslProtocols, true);
 				stream = ssl;
 			} else {
 				stream = new NetworkStream (socket, true);
@@ -862,7 +856,7 @@ static void ComputeDefaultValues (string host, ref int port, ref SecureSocketOpt
 
 #if !NETFX_CORE
 					var tls = new SslStream (stream, false, ValidateRemoteCertificate);
-					tls.AuthenticateAsClient (host, ClientCertificates, DefaultSslProtocols, true);
+					tls.AuthenticateAsClient (host, ClientCertificates, SslProtocols, true);
 					Stream.Stream = tls;
 #else
 					socket.UpgradeToSslAsync (SocketProtectionLevel.Tls12, new HostName (host))
@@ -990,7 +984,7 @@ static void ComputeDefaultValues (string host, ref int port, ref SecureSocketOpt
 
 			if (options == SecureSocketOptions.SslOnConnect) {
 				var ssl = new SslStream (new NetworkStream (socket, true), false, ValidateRemoteCertificate);
-				ssl.AuthenticateAsClient (host, ClientCertificates, DefaultSslProtocols, true);
+				ssl.AuthenticateAsClient (host, ClientCertificates, SslProtocols, true);
 				stream = ssl;
 			} else {
 				stream = new NetworkStream (socket, true);
@@ -1024,7 +1018,7 @@ static void ComputeDefaultValues (string host, ref int port, ref SecureSocketOpt
 						throw new SmtpCommandException (SmtpErrorCode.UnexpectedStatusCode, response.StatusCode, response.Response);
 
 					var tls = new SslStream (stream, false, ValidateRemoteCertificate);
-					tls.AuthenticateAsClient (host, ClientCertificates, DefaultSslProtocols, true);
+					tls.AuthenticateAsClient (host, ClientCertificates, SslProtocols, true);
 					Stream.Stream = tls;
 
 					// Send EHLO again and get the new list of supported extensions