Description
Intended Behavior Change
Update the SecurityContext class in dart:io to set the minimum TLS protocol version to TLS1_2_VERSION instead of
TLS1_VERSION.
Motivation for this change : TLS 1.2 was published ten years ago to address weaknesses in TLS 1.0 and 1.1 and has enjoyed wide adoption since then. These old versions of TLS rely on MD5 and SHA-1, both now broken, and contain other flaws. TLS 1.0 is no longer PCI-DSS compliant and the TLS working group has adopted a document to deprecate TLS 1.0 and TLS 1.1.
Pull request: #41135
Code review: https://dart-review.googlesource.com/c/sdk/+/140481
Current Behavior
Currently, the dart:io library sets the minimum required TLS protocol version to TLS1_VERSION
Expected Impact
If there are servers that only support TLS 1.0 or TLS 1.1 and do not speak TLS 1.2 then existing client code that was able to communicate with these servers would get impacted.
Chrome has removed support for TLS 1.0 in Chrome 84 and we expect that most servers wouid have migrated away from TLS 1.0.
Mitigation
Code that only support TLS 1.0 would have to be migrated to support TLS 1.2
cc for review: @mit-mit @vsmenon @kevmoo @Hixie
FYI: @mraleph @mkustermann @rmacnak-google @sortie @aam @athomas