Transport Layer Security (TLS) best practices with the .NET Framework starts by agreeing with this fine idea:
When your app lets the OS choose the TLS version:
It automatically takes advantage of new protocols added in the future, such as TLS 1.3.
The OS blocks protocols that are discovered not to be secure.
and then you can keep reading to see how messy it gets. See my previous post on “remarkably complicated”. Life seems to be getting better in new .NET Framework versions. Duplicati targets 4.5, and I’m not sure what would break if it went to a higher target. Duplicati might give old behavior to Windows users who keep the old .NET Framework deliberately (e.g. by limiting updates), but I’m not sure where fully updated Mono users land. Obviously a graceful degradation is far preferable to any complete failure (whether Windows or Linux or etc.).
One can also see here that Duplicati is not in direct control of where the negotiation happens. It’s far far lower but there are some controls Duplicati can use. The most disturbing failure to me is when I told Duplicati to use SystemDefault and got total failure to connect. Observing with Wireshark showed not even a TLS negotiation, simply a close (presumably from Windows). I wonder if this is what above-quoted “blocks protocols” looks like? This was as a Windows service on 18.104.22.168 beta on latest fully updated Windows 10. I haven’t tried other ways yet. You got ahead of me, plus I might be taking a break. Feel free to test yourself, preferably with a test job…
--allowed-ssl-versions (Flags): Sets allowed SSL versions
This option changes the default SSL versions allowed. This is an advanced
option and should only be used if you want to enhance security or work
around an issue with a particular SSL protocol.
* values: Ssl3, Tls, Tls11, Tls12, SystemDefault
* default value: SystemDefault,Ssl3,Tls
While it might be nice if Duplicati can do something on its own, security is best with general Windows securing which (unfortunately) involves registry changes. One possible source is available from these folks who aim to help their customers meet the requirements for a properly secured Point-of-Sale (POS) system. PCI Security and TLS 1.2 – Is Your Restaurant Ready? offers TheLevelUp/pos-tls-patcher which I haven’t personally tried. One thing I like about this compared to things like .reg files I see around is that it comes with an uninstaller…
If anyone wants to give securing their Windows system a try through registry change, please post the result. For any who don’t think the patcher has earned sufficient trust yet, see above article for a Microsoft .reg file.