dotnet · mdaigle · Sep 29, 2025 · Sep 23, 2025 · Sep 23, 2025 · Sep 23, 2025
@@ -928,6 +928,9 @@
     <Compile Include="$(CommonSourceRoot)\Interop\Windows\Sni\SniNativeWrapper.cs">
       <Link>Interop\Windows\Sni\SniNativeWrapper.cs</Link>
     </Compile>
+    <Compile Include="$(CommonSourceRoot)\Interop\Windows\Sni\SniSslProtocols.cs">
+      <Link>Interop\Windows\Sni\SniSslProtocols.cs</Link>
+    </Compile>
     <Compile Include="$(CommonSourceRoot)\Interop\Windows\Sni\TransparentNetworkResolutionMode.cs">
       <Link>Interop\Windows\Sni\TransparentNetworkResolutionMode.cs</Link>
     </Compile>
@@ -973,12 +976,13 @@
     <Compile Include="$(CommonSourceRoot)Microsoft\Data\SqlClient\TdsParserStateObjectFactory.Windows.cs">
       <Link>Microsoft\Data\SqlClient\TdsParserStateObjectFactory.Windows.cs</Link>
     </Compile>
+    <Compile Include="$(CommonSourceRoot)Microsoft\Data\SqlClient\TdsParserStateObjectNative.Windows.cs">
+      <Link>Microsoft\Data\SqlClient\TdsParserStateObjectNative.Windows.cs</Link>
+    </Compile>
     <Compile Include="$(CommonSourceRoot)Microsoft\Data\SqlTypes\SqlFileStream.Windows.cs">
       <Link>Microsoft\Data\SqlTypes\SqlFileStream.Windows.cs</Link>
     </Compile>
 
-    <Compile Include="Microsoft\Data\SqlClient\TdsParserStateObjectNative.cs" />
-
     <EmbeddedResource Include="$(CommonSourceRoot)Resources\ILLink.Substitutions.Windows.xml">
       <LogicalName>ILLink.Substitutions.xml</LogicalName>
       <Link>Resources\ILLink.Substitutions.Windows.xml</Link>

@@ -219,6 +219,9 @@
     <Compile Include="$(CommonSourceRoot)\Interop\Windows\Sni\SqlDependencyProcessDispatcherStorage.netfx.cs">
       <Link>Interop\Windows\Sni\SqlDependencyProcessDispatcherStorage.netfx.cs</Link>
     </Compile>
+    <Compile Include="$(CommonSourceRoot)\Interop\Windows\Sni\SniSslProtocols.cs">
+      <Link>Interop\Windows\Sni\SniSslProtocols.cs</Link>
+    </Compile>
     <Compile Include="$(CommonSourceRoot)\Interop\Windows\Sni\TransparentNetworkResolutionMode.cs">
       <Link>Interop\Windows\Sni\TransparentNetworkResolutionMode.cs</Link>
     </Compile>
@@ -924,6 +927,9 @@
     <Compile Include="$(CommonSourceRoot)Microsoft\Data\SqlClient\TdsParserStateObjectFactory.Windows.cs">
       <Link>Microsoft\Data\SqlClient\TdsParserStateObjectFactory.Windows.cs</Link>
     </Compile>
+    <Compile Include="$(CommonSourceRoot)Microsoft\Data\SqlClient\TdsParserStateObjectNative.Windows.cs">
+      <Link>Microsoft\Data\SqlClient\TdsParserStateObjectNative.Windows.cs</Link>
+    </Compile>
     <Compile Include="$(CommonSourceRoot)Microsoft\Data\SqlClient\TdsParserStaticMethods.cs">
       <Link>Microsoft\Data\SqlClient\TdsParserStaticMethods.cs</Link>
     </Compile>
@@ -996,7 +1002,6 @@
     <Compile Include="Microsoft\Data\SqlClient\SqlInternalConnectionTds.cs" />
     <Compile Include="Microsoft\Data\SqlClient\TdsParser.cs" />
     <Compile Include="Microsoft\Data\SqlClient\TdsParserStateObject.netfx.cs" />
-    <Compile Include="Microsoft\Data\SqlClient\TdsParserStateObjectNative.cs" />
   </ItemGroup>
   <!-- Resources  -->
   <ItemGroup>

@@ -92,7 +92,7 @@ unsafe uint SniSecGenClientContextWrapper(
 
         uint SniTerminate();
 
-        uint SniWaitForSslHandshakeToComplete(SNIHandle pConn, int dwMilliseconds, out uint pProtocolVersion);
+        uint SniWaitForSslHandshakeToComplete(SNIHandle pConn, int dwMilliseconds, out SniSslProtocols pProtocolVersion);
 
         uint SniWriteAsyncWrapper(SNIHandle pConn, SNIPacket pPacket);
 

@@ -148,7 +148,7 @@ public uint SniSetInfo(SNIHandle pConn, QueryType queryType, ref uint pbQueryInf
         public uint SniTerminate() =>
             SNITerminate();
 
-        public uint SniWaitForSslHandshakeToComplete(SNIHandle pConn, int dwMilliseconds, out uint pProtocolVersion) =>
+        public uint SniWaitForSslHandshakeToComplete(SNIHandle pConn, int dwMilliseconds, out SniSslProtocols pProtocolVersion) =>
             SNIWaitForSSLHandshakeToCompleteWrapper(pConn, dwMilliseconds, out pProtocolVersion);
 
         public uint SniWriteAsyncWrapper(SNIHandle pConn, SNIPacket pPacket) =>
@@ -299,7 +299,7 @@ private static extern int SNIServerEnumReadWrapper(
         private static extern uint SNIWaitForSSLHandshakeToCompleteWrapper(
             [In] SNIHandle pConn,
             int dwMilliseconds,
-            out uint pProtocolVersion);
+            out SniSslProtocols pProtocolVersion);
 
         [DllImport(DllName, CallingConvention = CallingConvention.Cdecl)]
         private static extern uint SNIWriteAsyncWrapper(SNIHandle pConn, [In] SNIPacket pPacket);

@@ -148,7 +148,7 @@ public uint SniSetInfo(SNIHandle pConn, QueryType queryType, ref uint pbQueryInf
         public uint SniTerminate() =>
             SNITerminate();
 
-        public uint SniWaitForSslHandshakeToComplete(SNIHandle pConn, int dwMilliseconds, out uint pProtocolVersion) =>
+        public uint SniWaitForSslHandshakeToComplete(SNIHandle pConn, int dwMilliseconds, out SniSslProtocols pProtocolVersion) =>
             SNIWaitForSSLHandshakeToCompleteWrapper(pConn, dwMilliseconds, out pProtocolVersion);
 
         public uint SniWriteAsyncWrapper(SNIHandle pConn, SNIPacket pPacket) =>
@@ -299,7 +299,7 @@ private static extern int SNIServerEnumReadWrapper(
         private static extern uint SNIWaitForSSLHandshakeToCompleteWrapper(
             [In] SNIHandle pConn,
             int dwMilliseconds,
-            out uint pProtocolVersion);
+            out SniSslProtocols pProtocolVersion);
 
         [DllImport(DllName, CallingConvention = CallingConvention.Cdecl)]
         private static extern uint SNIWriteAsyncWrapper(SNIHandle pConn, [In] SNIPacket pPacket);

@@ -142,7 +142,7 @@ public uint SniSetInfo(SNIHandle pConn, QueryType queryType, ref uint pbQueryInf
         public uint SniTerminate() =>
             throw ADP.SNIPlatformNotSupported(_architecture);
 
-        public uint SniWaitForSslHandshakeToComplete(SNIHandle pConn, int dwMilliseconds, out uint pProtocolVersion) =>
+        public uint SniWaitForSslHandshakeToComplete(SNIHandle pConn, int dwMilliseconds, out SniSslProtocols pProtocolVersion) =>
             throw ADP.SNIPlatformNotSupported(_architecture);
 
         public uint SniWriteAsyncWrapper(SNIHandle pConn, SNIPacket pPacket) =>

@@ -148,7 +148,7 @@ public uint SniSetInfo(SNIHandle pConn, QueryType queryType, ref uint pbQueryInf
         public uint SniTerminate() =>
             SNITerminate();
 
-        public uint SniWaitForSslHandshakeToComplete(SNIHandle pConn, int dwMilliseconds, out uint pProtocolVersion) =>
+        public uint SniWaitForSslHandshakeToComplete(SNIHandle pConn, int dwMilliseconds, out SniSslProtocols pProtocolVersion) =>
             SNIWaitForSSLHandshakeToCompleteWrapper(pConn, dwMilliseconds, out pProtocolVersion);
 
         public uint SniWriteAsyncWrapper(SNIHandle pConn, SNIPacket pPacket) =>
@@ -299,7 +299,7 @@ private static extern int SNIServerEnumReadWrapper(
         private static extern uint SNIWaitForSSLHandshakeToCompleteWrapper(
             [In] SNIHandle pConn,
             int dwMilliseconds,
-            out uint pProtocolVersion);
+            out SniSslProtocols pProtocolVersion);
 
         [DllImport(DllName, CallingConvention = CallingConvention.Cdecl)]
         private static extern uint SNIWriteAsyncWrapper(SNIHandle pConn, [In] SNIPacket pPacket);

@@ -148,7 +148,7 @@ public uint SniSetInfo(SNIHandle pConn, QueryType queryType, ref uint pbQueryInf
         public uint SniTerminate() =>
             SNITerminate();
 
-        public uint SniWaitForSslHandshakeToComplete(SNIHandle pConn, int dwMilliseconds, out uint pProtocolVersion) =>
+        public uint SniWaitForSslHandshakeToComplete(SNIHandle pConn, int dwMilliseconds, out SniSslProtocols pProtocolVersion) =>
             SNIWaitForSSLHandshakeToCompleteWrapper(pConn, dwMilliseconds, out pProtocolVersion);
 
         public uint SniWriteAsyncWrapper(SNIHandle pConn, SNIPacket pPacket) =>
@@ -299,7 +299,7 @@ private static extern int SNIServerEnumReadWrapper(
         private static extern uint SNIWaitForSSLHandshakeToCompleteWrapper(
             [In] SNIHandle pConn,
             int dwMilliseconds,
-            out uint pProtocolVersion);
+            out SniSslProtocols pProtocolVersion);
 
         [DllImport(DllName, CallingConvention = CallingConvention.Cdecl)]
         private static extern uint SNIWriteAsyncWrapper(SNIHandle pConn, [In] SNIPacket pPacket);

@@ -376,19 +376,67 @@ internal static uint SniSetInfo(SNIHandle pConn, QueryType qType, ref uint pbQIn
 
         internal static uint SniTerminate() =>
             s_nativeMethods.SniTerminate();
-        
+
         internal static uint SniWaitForSslHandshakeToComplete(
             SNIHandle pConn,
             int dwMilliseconds,
-            out uint pProtocolVersion) =>
-            s_nativeMethods.SniWaitForSslHandshakeToComplete(pConn, dwMilliseconds, out pProtocolVersion);
+            out System.Security.Authentication.SslProtocols pProtocolVersion)
+        {
+            uint returnValue = s_nativeMethods.SniWaitForSslHandshakeToComplete(pConn, dwMilliseconds, out SniSslProtocols nativeProtocolVersion);
+
+#pragma warning disable CA5398 // Avoid hardcoded SslProtocols values
+            if ((nativeProtocolVersion & SniSslProtocols.SP_PROT_TLS1_2) != 0)
+            {
+                pProtocolVersion = System.Security.Authentication.SslProtocols.Tls12;
+            }
+            else if ((nativeProtocolVersion & SniSslProtocols.SP_PROT_TLS1_3) != 0)
+            {
+#if NET
+                pProtocolVersion = System.Security.Authentication.SslProtocols.Tls13;
+#else
+                // Only .NET Core supports SslProtocols.Tls13
+                pProtocolVersion = (System.Security.Authentication.SslProtocols)0x3000;
+#endif
+            }
+            else if ((nativeProtocolVersion & SniSslProtocols.SP_PROT_TLS1_1) != 0)
+            {
+#if NET8_0_OR_GREATER
+#pragma warning disable SYSLIB0039 // Type or member is obsolete: TLS 1.0 & 1.1 are deprecated
+#endif
+                pProtocolVersion = System.Security.Authentication.SslProtocols.Tls11;
+            }
+            else if ((nativeProtocolVersion & SniSslProtocols.SP_PROT_TLS1_0) != 0)
+            {
+                pProtocolVersion = System.Security.Authentication.SslProtocols.Tls;
+#if NET8_0_OR_GREATER
+#pragma warning restore SYSLIB0039 // Type or member is obsolete: SSL and TLS 1.0 & 1.1 is deprecated
+#endif
+            }
+            else if ((nativeProtocolVersion & SniSslProtocols.SP_PROT_SSL3) != 0)
+            {
+                // SSL 2.0 and 3.0 are only referenced to log a warning, not explicitly used for connections
+#pragma warning disable CS0618, CA5397
+                pProtocolVersion = System.Security.Authentication.SslProtocols.Ssl3;
+            }
+            else if ((nativeProtocolVersion & SniSslProtocols.SP_PROT_SSL2) != 0)
+            {
+                pProtocolVersion = System.Security.Authentication.SslProtocols.Ssl2;
+#pragma warning restore CS0618, CA5397
+            }
+            else
+            {
+                pProtocolVersion = System.Security.Authentication.SslProtocols.None;
+            }
+#pragma warning restore CA5398 // Avoid hardcoded SslProtocols values
+            return returnValue;
+        }
 
         internal static uint SniWritePacket(SNIHandle pConn, SNIPacket packet, bool sync) =>
             sync
                 ? s_nativeMethods.SniWriteSyncOverAsync(pConn, packet)
                 : s_nativeMethods.SniWriteAsyncWrapper(pConn, packet);
 
-        #endregion
+#endregion
 
         #region Private Methods
 

@@ -0,0 +1,32 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+namespace Interop.Windows.Sni
+{
+    internal enum SniSslProtocols : uint
+    {
+        // Protocol versions from native SNI
+        SP_PROT_SSL2_SERVER = 0x00000004,
+        SP_PROT_SSL2_CLIENT = 0x00000008,
+        SP_PROT_SSL3_SERVER = 0x00000010,
+        SP_PROT_SSL3_CLIENT = 0x00000020,
+        SP_PROT_TLS1_0_SERVER = 0x00000040,
+        SP_PROT_TLS1_0_CLIENT = 0x00000080,
+        SP_PROT_TLS1_1_SERVER = 0x00000100,
+        SP_PROT_TLS1_1_CLIENT = 0x00000200,
+        SP_PROT_TLS1_2_SERVER = 0x00000400,
+        SP_PROT_TLS1_2_CLIENT = 0x00000800,
+        SP_PROT_TLS1_3_SERVER = 0x00001000,
+        SP_PROT_TLS1_3_CLIENT = 0x00002000,
+        SP_PROT_NONE = 0x0,
+
+        // Combinations for easier use when mapping to SslProtocols
+        SP_PROT_SSL2 = SP_PROT_SSL2_SERVER | SP_PROT_SSL2_CLIENT,
+        SP_PROT_SSL3 = SP_PROT_SSL3_SERVER | SP_PROT_SSL3_CLIENT,
+        SP_PROT_TLS1_0 = SP_PROT_TLS1_0_SERVER | SP_PROT_TLS1_0_CLIENT,
+        SP_PROT_TLS1_1 = SP_PROT_TLS1_1_SERVER | SP_PROT_TLS1_1_CLIENT,
+        SP_PROT_TLS1_2 = SP_PROT_TLS1_2_SERVER | SP_PROT_TLS1_2_CLIENT,
+        SP_PROT_TLS1_3 = SP_PROT_TLS1_3_SERVER | SP_PROT_TLS1_3_CLIENT,
+    }
+}
@@ -277,63 +277,4 @@ override protected bool ReleaseHandle()
             return true;
         }
     }
-
-    internal sealed class WritePacketCache : IDisposable
-    {
-        private bool _disposed;
-        private Stack<SNIPacket> _packets;
-
-        public WritePacketCache()
-        {
-            _disposed = false;
-            _packets = new Stack<SNIPacket>();
-        }
-
-        public SNIPacket Take(SNIHandle sniHandle)
-        {
-            SNIPacket packet;
-            if (_packets.Count > 0)
-            {
-                // Success - reset the packet
-                packet = _packets.Pop();
-                SniNativeWrapper.SniPacketReset(sniHandle, IoType.WRITE, packet, ConsumerNumber.SNI_Consumer_SNI);
-            }
-            else
-            {
-                // Failed to take a packet - create a new one
-                packet = new SNIPacket(sniHandle);
-            }
-            return packet;
-        }
-
-        public void Add(SNIPacket packet)
-        {
-            if (!_disposed)
-            {
-                _packets.Push(packet);
-            }
-            else
-            {
-                // If we're disposed, then get rid of any packets added to us
-                packet.Dispose();
-            }
-        }
-
-        public void Clear()
-        {
-            while (_packets.Count > 0)
-            {
-                _packets.Pop().Dispose();
-            }
-        }
-
-        public void Dispose()
-        {
-            if (!_disposed)
-            {
-                _disposed = true;
-                Clear();
-            }
-        }
-    }
 }
@@ -527,10 +527,10 @@ internal abstract void CreatePhysicalSNIHandle(
             string cachedFQDN,
             ref SQLDNSInfo pendingDNSInfo,
             string serverSPN,
-            bool isIntegratedSecurity = false,
-            bool tlsFirst = false,
-            string hostNameInCertificate = "",
-            string serverCertificateFilename = "");
+            bool isIntegratedSecurity,
+            bool tlsFirst,
+            string hostNameInCertificate,
+            string serverCertificateFilename);
 
         internal abstract uint EnableSsl(ref uint info, bool tlsFirst, string serverCertificateFilename);