#926: supported server ssl protocol versions

src/Titanium.Web.Proxy/ExplicitClientHandler.cs

@@ -3,6 +3,7 @@
 using System.Net;
 using System.Net.Security;
 using System.Net.Sockets;
+using System.Security.Authentication;
 using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using System.Threading.Tasks;
@@ -121,7 +122,14 @@ private async Task HandleClient(ExplicitProxyEndPoint endPoint, TcpClientConnect
                 if (decryptSsl && clientHelloInfo != null)
                 {
                     connectRequest.IsHttps = true; // todo: move this line to the previous "if"
-                    clientStream.Connection.SslProtocol = clientHelloInfo.SslProtocol;
+
+                    var sslProtocol = clientHelloInfo.SslProtocol;
+                    if ((sslProtocol & SupportedSslProtocols) == SslProtocols.None)
+                    {
+                        throw new Exception("Unsupported client SSL version.");
+                    }
+
+                    clientStream.Connection.SslProtocol = sslProtocol;
 
                     var http2Supported = false;
 

src/Titanium.Web.Proxy/Network/TcpConnection/TcpConnectionFactory.cs

@@ -301,6 +301,8 @@ internal Task<TcpServerConnection> GetServerConnection(ProxyServer proxyServer,
                 throw new Exception(
                     $"A client is making HTTP request via external proxy to one of the listening ports of this proxy {remoteHostName}:{remotePort}");
 
+        if (proxyServer.SupportedServerSslProtocols != SslProtocols.None) sslProtocol = proxyServer.SupportedServerSslProtocols;
+
         if (isHttps && sslProtocol == SslProtocols.None) sslProtocol = proxyServer.SupportedSslProtocols;
 
         var useUpstreamProxy1 = false;

src/Titanium.Web.Proxy/ProxyServer.cs

@@ -249,6 +249,14 @@ public ProxyServer(string? rootCertificateName, string? rootCertificateIssuerNam
         SslProtocols.Ssl3 | SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
 #pragma warning restore 618
 
+    /// <summary>
+    ///     List of supported Server Ssl versions.
+    ///     Using SslProtocol.None means to require the same SSL protocol as the proxy client.
+    /// </summary>
+#pragma warning disable 618
+    public SslProtocols SupportedServerSslProtocols { get; set; } = SslProtocols.None;
+#pragma warning restore 618
+
     /// <summary>
     ///     The buffer pool used throughout this proxy instance.
     ///     Set custom implementations by implementing this interface.

src/Titanium.Web.Proxy/TransparentClientHandler.cs

@@ -57,7 +57,13 @@ private async Task HandleClient(TransparentBaseProxyEndPoint endPoint, TcpClient
 
                 if (endPoint.DecryptSsl && args.DecryptSsl)
                 {
-                    clientStream.Connection.SslProtocol = clientHelloInfo.SslProtocol;
+                    var sslProtocol = clientHelloInfo.SslProtocol;
+                    if ((sslProtocol & SupportedSslProtocols) == SslProtocols.None)
+                    {
+                        throw new Exception("Unsupported client SSL version.");
+                    }
+
+                    clientStream.Connection.SslProtocol = sslProtocol;
 
                     // do client authentication using certificate
                     X509Certificate2? certificate = null;