[ Breaking Change Request ] Switch to TLS 1.2 as minimum requirement

[a-siva]

Intended Behavior Change

Update the SecurityContext class in dart:io to set the minimum TLS protocol version to TLS1_2_VERSION instead of
TLS1_VERSION.

Motivation for this change : TLS 1.2 was published ten years ago to address weaknesses in TLS 1.0 and 1.1 and has enjoyed wide adoption since then. These old versions of TLS rely on MD5 and SHA-1, both now broken, and contain other flaws. TLS 1.0 is no longer PCI-DSS compliant and the TLS working group has adopted a document to deprecate TLS 1.0 and TLS 1.1.

Pull request: #41135
Code review: https://dart-review.googlesource.com/c/sdk/+/140481

Current Behavior

Currently, the dart:io library sets the minimum required TLS protocol version to TLS1_VERSION

Expected Impact

If there are servers that only support TLS 1.0 or TLS 1.1 and do not speak TLS 1.2 then existing client code that was able to communicate with these servers would get impacted.
Chrome has removed support for TLS 1.0 in Chrome 84 and we expect that most servers wouid have migrated away from TLS 1.0.

Mitigation

Code that only support TLS 1.0 would have to be migrated to support TLS 1.2

cc for review: @mit-mit @vsmenon @kevmoo @Hixie
FYI: @mraleph @mkustermann @rmacnak-google @sortie @aam @athomas

[mraleph]

@mit-mit @vsmenon @kevmoo @Hixie ping for approval.

[mit-mit]

SGTM

[vsmenon]

lgtm

[vsmenon]

@devoncarew - how should we track these?

[devoncarew]

I just reviewed our breaking change policy https://github.com/dart-lang/sdk/blob/master/docs/process/breaking-changes.md :)

It sounds like we're close to approval, although it would be good to get someone from Flutter to weigh in (@tvolkert, @Hixie, perhaps @goderbauer). It sounds this is a platform health thing.

We can start an email to [email protected] now I think (Siva?).

Once we have approval and it's landed, we should update the changelog. I think it would also be good to keep this issue open and in the milestone for the stable release, so we remember closer to the release date to prepare any necessary docs / faqs.

[devoncarew]

Speculatively adding to the next stable milestone so we don't lose track.

[Hixie]

lgtm though i'm sure i'm going to personally discover i have some server somewhere using TLS 1.0 and get really confused about why suddenly things stop working when i next update dart...

[tvolkert]

Given that I just had to rebuild an old server because Java client code stopped supporting TLS 1.0, this seems reasonable to me.

[devoncarew]

Great! @a-siva, sounds like this is approved.

[mit-mit]

This has landed, and will be going out in Dart 2.15.

[mit-mit]

Changelog update in https://dart-review.googlesource.com/c/sdk/+/215404