From 77dbb2954dd68910c1e404eb72960f50aad1d91c Mon Sep 17 00:00:00 2001
From: Rhys Parry <rhys.parry@octopus.com>
Date: Tue, 9 Dec 2025 09:21:57 +1000
Subject: [PATCH 1/2] Use system-defined TLS protocol versions

---
 .../Communications/TentacleCommunicationsModule.cs    |  6 +++++-
 source/Octopus.Tentacle/EnvironmentOverrides.cs       | 10 ++++++++++
 source/Octopus.Tentacle/Program.cs                    | 11 +++++++----
 3 files changed, 22 insertions(+), 5 deletions(-)
 create mode 100644 source/Octopus.Tentacle/EnvironmentOverrides.cs

diff --git a/source/Octopus.Tentacle/Communications/TentacleCommunicationsModule.cs b/source/Octopus.Tentacle/Communications/TentacleCommunicationsModule.cs
index 040ebf9f8..f7492015e 100644
--- a/source/Octopus.Tentacle/Communications/TentacleCommunicationsModule.cs
+++ b/source/Octopus.Tentacle/Communications/TentacleCommunicationsModule.cs
@@ -59,12 +59,16 @@ protected override void Load(ContainerBuilder builder)
                 halibutTimeoutsAndLimits.TcpNoDelay = useTcpNoDelay;
                 halibutTimeoutsAndLimits.UseAsyncListener = useAsyncListener;
 
+                ISslConfigurationProvider sslConfigurationProvider = EnvironmentOverrides.UseLegacyExplicitSslConfiguration
+                    ? new LegacySslConfigurationProvider()
+                    : new DefaultSslConfigurationProvider();
+
                 var halibutRuntime = new HalibutRuntimeBuilder()
                     .WithServiceFactory(services)
                     .WithServerCertificate(configuration.TentacleCertificate!)
                     .WithMessageSerializer(serializerBuilder => serializerBuilder.WithLegacyContractSupport())
                     .WithHalibutTimeoutsAndLimits(halibutTimeoutsAndLimits)
-                    .WithSslConfigurationProvider(new LegacySslConfigurationProvider())
+                    .WithSslConfigurationProvider(sslConfigurationProvider)
                     .Build();
 
                 halibutRuntime.SetFriendlyHtmlPageContent(FriendlyHtmlPageContent);
diff --git a/source/Octopus.Tentacle/EnvironmentOverrides.cs b/source/Octopus.Tentacle/EnvironmentOverrides.cs
new file mode 100644
index 000000000..46cae9db6
--- /dev/null
+++ b/source/Octopus.Tentacle/EnvironmentOverrides.cs
@@ -0,0 +1,10 @@
+using System;
+
+namespace Octopus.Tentacle
+{
+    public static class EnvironmentOverrides
+    {
+        public static bool UseLegacyExplicitSslConfiguration =>
+            Environment.GetEnvironmentVariable("OCTOPUS_TENTACLE_USE_LEGACY_TLS") == "YES";
+    }
+}
\ No newline at end of file
diff --git a/source/Octopus.Tentacle/Program.cs b/source/Octopus.Tentacle/Program.cs
index b9f20ee73..6dee75745 100644
--- a/source/Octopus.Tentacle/Program.cs
+++ b/source/Octopus.Tentacle/Program.cs
@@ -27,10 +27,13 @@ public Program(string[] commandLineArguments) : base("Octopus Deploy: Tentacle",
             OctopusTentacle.EnvironmentInformation,
             commandLineArguments)
         {
-            ServicePointManager.SecurityProtocol =
-                SecurityProtocolType.Tls
-                | SecurityProtocolType.Tls11
-                | SecurityProtocolType.Tls12;
+            if (EnvironmentOverrides.UseLegacyExplicitSslConfiguration)
+            {
+                ServicePointManager.SecurityProtocol =
+                    SecurityProtocolType.Tls
+                    | SecurityProtocolType.Tls11
+                    | SecurityProtocolType.Tls12;
+            }
         }
 
         protected override ApplicationName ApplicationName => ApplicationName.Tentacle;

From 03c4b9c843f5a7b42ac3222242cefdaf092dc476 Mon Sep 17 00:00:00 2001
From: Rhys Parry <rhys.parry@octopus.com>
Date: Tue, 6 Jan 2026 12:13:25 +1000
Subject: [PATCH 2/2] Maintain the existing behavior

- Use true/false (case-insensitive) for environment variable values
- Invert the toggle so that existing behavior is maintained
- Users can opt-in to system configure TLS by setting the environment
  variable to false
---
 source/Octopus.Tentacle/EnvironmentOverrides.cs | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/source/Octopus.Tentacle/EnvironmentOverrides.cs b/source/Octopus.Tentacle/EnvironmentOverrides.cs
index 46cae9db6..0cd9d7dc5 100644
--- a/source/Octopus.Tentacle/EnvironmentOverrides.cs
+++ b/source/Octopus.Tentacle/EnvironmentOverrides.cs
@@ -4,7 +4,19 @@ namespace Octopus.Tentacle
 {
     public static class EnvironmentOverrides
     {
+        /// <summary>
+        /// By default, (i.e. with no environment variable set) we will use the legacy explicit SSL
+        /// configuration. For users that choose to opt-in to the new behavior early they can set
+        /// the OCTOPUS_TENTACLE_USE_LEGACY_TLS environment variable to "FALSE".
+        ///
+        /// In the future, the default will change to using the system default, and this flag will
+        /// exist to allow opting back into the legacy behavior by setting the
+        /// OCTOPUS_TENTACLE_USE_LEGACY_TLS environment variable to "TRUE".
+        /// </summary>
         public static bool UseLegacyExplicitSslConfiguration =>
-            Environment.GetEnvironmentVariable("OCTOPUS_TENTACLE_USE_LEGACY_TLS") == "YES";
+            !bool.FalseString.Equals(
+                Environment.GetEnvironmentVariable("OCTOPUS_TENTACLE_USE_LEGACY_TLS"),
+                StringComparison.OrdinalIgnoreCase
+            );
     }
 }
\ No newline at end of file