AllowRenegotiation default is false

The default value of SslServerAuthenticationOptions.AllowRenegotiation has been changed to false.

Previous behavior

In previous versions, client-side renegotiation was allowed by the server by default.

New behavior

Starting in .NET 7, client-side renegotiation must be explicitly enabled on the server side.

Version introduced

.NET 7 Preview 3

Type of breaking change

This change can affect binary compatibility and source compatibility.

Reason for change

Client-side renegotiation is viewed as insecure by the industry. For example, it has been removed from TLS 1.3 entirely. Therefore, we should disable it by default.

If client-side renegotiation is required, set SslServerAuthenticationOptions.AllowRenegotiation to true when initializing the server side of the SslStream.

Affected APIs