Add explicit handling of SNI-layer SSL protocols

This guards against future changes to the SslProtocols enum

Author: edwardneal

src/Microsoft.Data.SqlClient/netcore/src/Microsoft.Data.SqlClient.csproj

@@ -928,6 +928,9 @@
     <Compile Include="$(CommonSourceRoot)\Interop\Windows\Sni\SniNativeWrapper.cs">
       <Link>Interop\Windows\Sni\SniNativeWrapper.cs</Link>
     </Compile>
+    <Compile Include="$(CommonSourceRoot)\Interop\Windows\Sni\SniSslProtocols.cs">
+      <Link>Interop\Windows\Sni\SniSslProtocols.cs</Link>
+    </Compile>
     <Compile Include="$(CommonSourceRoot)\Interop\Windows\Sni\TransparentNetworkResolutionMode.cs">
       <Link>Interop\Windows\Sni\TransparentNetworkResolutionMode.cs</Link>
     </Compile>

src/Microsoft.Data.SqlClient/netfx/src/Microsoft.Data.SqlClient.csproj

@@ -219,6 +219,9 @@
     <Compile Include="$(CommonSourceRoot)\Interop\Windows\Sni\SqlDependencyProcessDispatcherStorage.netfx.cs">
       <Link>Interop\Windows\Sni\SqlDependencyProcessDispatcherStorage.netfx.cs</Link>
     </Compile>
+    <Compile Include="$(CommonSourceRoot)\Interop\Windows\Sni\SniSslProtocols.cs">
+      <Link>Interop\Windows\Sni\SniSslProtocols.cs</Link>
+    </Compile>
     <Compile Include="$(CommonSourceRoot)\Interop\Windows\Sni\TransparentNetworkResolutionMode.cs">
       <Link>Interop\Windows\Sni\TransparentNetworkResolutionMode.cs</Link>
     </Compile>

src/Microsoft.Data.SqlClient/src/Interop/Windows/Sni/ISniNativeMethods.cs

@@ -92,7 +92,7 @@ unsafe uint SniSecGenClientContextWrapper(
 
         uint SniTerminate();
 
-        uint SniWaitForSslHandshakeToComplete(SNIHandle pConn, int dwMilliseconds, out uint pProtocolVersion);
+        uint SniWaitForSslHandshakeToComplete(SNIHandle pConn, int dwMilliseconds, out SniSslProtocols pProtocolVersion);
 
         uint SniWriteAsyncWrapper(SNIHandle pConn, SNIPacket pPacket);
 

src/Microsoft.Data.SqlClient/src/Interop/Windows/Sni/SniNativeMethods.netcore.cs

@@ -148,7 +148,7 @@ public uint SniSetInfo(SNIHandle pConn, QueryType queryType, ref uint pbQueryInf
         public uint SniTerminate() =>
             SNITerminate();
 
-        public uint SniWaitForSslHandshakeToComplete(SNIHandle pConn, int dwMilliseconds, out uint pProtocolVersion) =>
+        public uint SniWaitForSslHandshakeToComplete(SNIHandle pConn, int dwMilliseconds, out SniSslProtocols pProtocolVersion) =>
             SNIWaitForSSLHandshakeToCompleteWrapper(pConn, dwMilliseconds, out pProtocolVersion);
 
         public uint SniWriteAsyncWrapper(SNIHandle pConn, SNIPacket pPacket) =>
@@ -299,7 +299,7 @@ private static extern int SNIServerEnumReadWrapper(
         private static extern uint SNIWaitForSSLHandshakeToCompleteWrapper(
             [In] SNIHandle pConn,
             int dwMilliseconds,
-            out uint pProtocolVersion);
+            out SniSslProtocols pProtocolVersion);
 
         [DllImport(DllName, CallingConvention = CallingConvention.Cdecl)]
         private static extern uint SNIWriteAsyncWrapper(SNIHandle pConn, [In] SNIPacket pPacket);

src/Microsoft.Data.SqlClient/src/Interop/Windows/Sni/SniNativeMethodsArm64.netfx.cs

@@ -148,7 +148,7 @@ public uint SniSetInfo(SNIHandle pConn, QueryType queryType, ref uint pbQueryInf
         public uint SniTerminate() =>
             SNITerminate();
 
-        public uint SniWaitForSslHandshakeToComplete(SNIHandle pConn, int dwMilliseconds, out uint pProtocolVersion) =>
+        public uint SniWaitForSslHandshakeToComplete(SNIHandle pConn, int dwMilliseconds, out SniSslProtocols pProtocolVersion) =>
             SNIWaitForSSLHandshakeToCompleteWrapper(pConn, dwMilliseconds, out pProtocolVersion);
 
         public uint SniWriteAsyncWrapper(SNIHandle pConn, SNIPacket pPacket) =>
@@ -299,7 +299,7 @@ private static extern int SNIServerEnumReadWrapper(
         private static extern uint SNIWaitForSSLHandshakeToCompleteWrapper(
             [In] SNIHandle pConn,
             int dwMilliseconds,
-            out uint pProtocolVersion);
+            out SniSslProtocols pProtocolVersion);
 
         [DllImport(DllName, CallingConvention = CallingConvention.Cdecl)]
         private static extern uint SNIWriteAsyncWrapper(SNIHandle pConn, [In] SNIPacket pPacket);

src/Microsoft.Data.SqlClient/src/Interop/Windows/Sni/SniNativeMethodsNotSupported.netfx.cs

@@ -142,7 +142,7 @@ public uint SniSetInfo(SNIHandle pConn, QueryType queryType, ref uint pbQueryInf
         public uint SniTerminate() =>
             throw ADP.SNIPlatformNotSupported(_architecture);
 
-        public uint SniWaitForSslHandshakeToComplete(SNIHandle pConn, int dwMilliseconds, out uint pProtocolVersion) =>
+        public uint SniWaitForSslHandshakeToComplete(SNIHandle pConn, int dwMilliseconds, out SniSslProtocols pProtocolVersion) =>
             throw ADP.SNIPlatformNotSupported(_architecture);
 
         public uint SniWriteAsyncWrapper(SNIHandle pConn, SNIPacket pPacket) =>

src/Microsoft.Data.SqlClient/src/Interop/Windows/Sni/SniNativeMethodsX64.netfx.cs

@@ -148,7 +148,7 @@ public uint SniSetInfo(SNIHandle pConn, QueryType queryType, ref uint pbQueryInf
         public uint SniTerminate() =>
             SNITerminate();
 
-        public uint SniWaitForSslHandshakeToComplete(SNIHandle pConn, int dwMilliseconds, out uint pProtocolVersion) =>
+        public uint SniWaitForSslHandshakeToComplete(SNIHandle pConn, int dwMilliseconds, out SniSslProtocols pProtocolVersion) =>
             SNIWaitForSSLHandshakeToCompleteWrapper(pConn, dwMilliseconds, out pProtocolVersion);
 
         public uint SniWriteAsyncWrapper(SNIHandle pConn, SNIPacket pPacket) =>
@@ -299,7 +299,7 @@ private static extern int SNIServerEnumReadWrapper(
         private static extern uint SNIWaitForSSLHandshakeToCompleteWrapper(
             [In] SNIHandle pConn,
             int dwMilliseconds,
-            out uint pProtocolVersion);
+            out SniSslProtocols pProtocolVersion);
 
         [DllImport(DllName, CallingConvention = CallingConvention.Cdecl)]
         private static extern uint SNIWriteAsyncWrapper(SNIHandle pConn, [In] SNIPacket pPacket);

src/Microsoft.Data.SqlClient/src/Interop/Windows/Sni/SniNativeMethodsX86.netfx.cs

@@ -148,7 +148,7 @@ public uint SniSetInfo(SNIHandle pConn, QueryType queryType, ref uint pbQueryInf
         public uint SniTerminate() =>
             SNITerminate();
 
-        public uint SniWaitForSslHandshakeToComplete(SNIHandle pConn, int dwMilliseconds, out uint pProtocolVersion) =>
+        public uint SniWaitForSslHandshakeToComplete(SNIHandle pConn, int dwMilliseconds, out SniSslProtocols pProtocolVersion) =>
             SNIWaitForSSLHandshakeToCompleteWrapper(pConn, dwMilliseconds, out pProtocolVersion);
 
         public uint SniWriteAsyncWrapper(SNIHandle pConn, SNIPacket pPacket) =>
@@ -299,7 +299,7 @@ private static extern int SNIServerEnumReadWrapper(
         private static extern uint SNIWaitForSSLHandshakeToCompleteWrapper(
             [In] SNIHandle pConn,
             int dwMilliseconds,
-            out uint pProtocolVersion);
+            out SniSslProtocols pProtocolVersion);
 
         [DllImport(DllName, CallingConvention = CallingConvention.Cdecl)]
         private static extern uint SNIWriteAsyncWrapper(SNIHandle pConn, [In] SNIPacket pPacket);

src/Microsoft.Data.SqlClient/src/Interop/Windows/Sni/SniNativeWrapper.cs

@@ -376,19 +376,67 @@ internal static uint SniSetInfo(SNIHandle pConn, QueryType qType, ref uint pbQIn
 
         internal static uint SniTerminate() =>
             s_nativeMethods.SniTerminate();
-        
+
         internal static uint SniWaitForSslHandshakeToComplete(
             SNIHandle pConn,
             int dwMilliseconds,
-            out uint pProtocolVersion) =>
-            s_nativeMethods.SniWaitForSslHandshakeToComplete(pConn, dwMilliseconds, out pProtocolVersion);
+            out System.Security.Authentication.SslProtocols pProtocolVersion)
+        {
+            uint returnValue = s_nativeMethods.SniWaitForSslHandshakeToComplete(pConn, dwMilliseconds, out SniSslProtocols nativeProtocolVersion);
+
+#pragma warning disable CA5398 // Avoid hardcoded SslProtocols values
+            if ((nativeProtocolVersion & SniSslProtocols.SP_PROT_TLS1_2) != 0)
+            {
+                pProtocolVersion = System.Security.Authentication.SslProtocols.Tls12;
+            }
+            else if ((nativeProtocolVersion & SniSslProtocols.SP_PROT_TLS1_3) != 0)
+            {
+#if NET
+                pProtocolVersion = System.Security.Authentication.SslProtocols.Tls13;
+#else
+                // Only .NET Core supports SslProtocols.Tls13
+                pProtocolVersion = (System.Security.Authentication.SslProtocols)0x3000;
+#endif
+            }
+            else if ((nativeProtocolVersion & SniSslProtocols.SP_PROT_TLS1_1) != 0)
+            {
+#if NET8_0_OR_GREATER
+#pragma warning disable SYSLIB0039 // Type or member is obsolete: TLS 1.0 & 1.1 are deprecated
+#endif
+                pProtocolVersion = System.Security.Authentication.SslProtocols.Tls11;
+            }
+            else if ((nativeProtocolVersion & SniSslProtocols.SP_PROT_TLS1_0) != 0)
+            {
+                pProtocolVersion = System.Security.Authentication.SslProtocols.Tls;
+#if NET8_0_OR_GREATER
+#pragma warning restore SYSLIB0039 // Type or member is obsolete: SSL and TLS 1.0 & 1.1 is deprecated
+#endif
+            }
+            else if ((nativeProtocolVersion & SniSslProtocols.SP_PROT_SSL3) != 0)
+            {
+                // SSL 2.0 and 3.0 are only referenced to log a warning, not explicitly used for connections
+#pragma warning disable CS0618, CA5397
+                pProtocolVersion = System.Security.Authentication.SslProtocols.Ssl3;
+            }
+            else if ((nativeProtocolVersion & SniSslProtocols.SP_PROT_SSL2) != 0)
+            {
+                pProtocolVersion = System.Security.Authentication.SslProtocols.Ssl2;
+#pragma warning restore CS0618, CA5397
+            }
+            else
+            {
+                pProtocolVersion = System.Security.Authentication.SslProtocols.None;
+            }
+#pragma warning restore CA5398 // Avoid hardcoded SslProtocols values
+            return returnValue;
+        }
 
         internal static uint SniWritePacket(SNIHandle pConn, SNIPacket packet, bool sync) =>
             sync
                 ? s_nativeMethods.SniWriteSyncOverAsync(pConn, packet)
                 : s_nativeMethods.SniWriteAsyncWrapper(pConn, packet);
 
-        #endregion
+#endregion
 
         #region Private Methods
 

src/Microsoft.Data.SqlClient/src/Interop/Windows/Sni/SniSslProtocols.cs

@@ -0,0 +1,32 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+namespace Interop.Windows.Sni
+{
+    internal enum SniSslProtocols : uint
+    {
+        // Protocol versions from native SNI
+        SP_PROT_SSL2_SERVER = 0x00000004,
+        SP_PROT_SSL2_CLIENT = 0x00000008,
+        SP_PROT_SSL3_SERVER = 0x00000010,
+        SP_PROT_SSL3_CLIENT = 0x00000020,
+        SP_PROT_TLS1_0_SERVER = 0x00000040,
+        SP_PROT_TLS1_0_CLIENT = 0x00000080,
+        SP_PROT_TLS1_1_SERVER = 0x00000100,
+        SP_PROT_TLS1_1_CLIENT = 0x00000200,
+        SP_PROT_TLS1_2_SERVER = 0x00000400,
+        SP_PROT_TLS1_2_CLIENT = 0x00000800,
+        SP_PROT_TLS1_3_SERVER = 0x00001000,
+        SP_PROT_TLS1_3_CLIENT = 0x00002000,
+        SP_PROT_NONE = 0x0,
+
+        // Combinations for easier use when mapping to SslProtocols
+        SP_PROT_SSL2 = SP_PROT_SSL2_SERVER | SP_PROT_SSL2_CLIENT,
+        SP_PROT_SSL3 = SP_PROT_SSL3_SERVER | SP_PROT_SSL3_CLIENT,
+        SP_PROT_TLS1_0 = SP_PROT_TLS1_0_SERVER | SP_PROT_TLS1_0_CLIENT,
+        SP_PROT_TLS1_1 = SP_PROT_TLS1_1_SERVER | SP_PROT_TLS1_1_CLIENT,
+        SP_PROT_TLS1_2 = SP_PROT_TLS1_2_SERVER | SP_PROT_TLS1_2_CLIENT,
+        SP_PROT_TLS1_3 = SP_PROT_TLS1_3_SERVER | SP_PROT_TLS1_3_CLIENT,
+    }
+}