From c9e1d1549b99ef3bb21b499a15893a410decf23c Mon Sep 17 00:00:00 2001
From: Radek Zikmund <32671551+rzikm@users.noreply.github.com>
Date: Fri, 16 Aug 2024 14:43:00 +0200
Subject: [PATCH] Replace TlsStream type by using SslStream directly (#106451)

* Remove TlsStream from System.Net.Mail

* Remove TlsStream from System.Net.Requests

* Delete TlsStream.cs

* Update src/libraries/System.Net.Requests/src/System/Net/FtpControlStream.cs

Co-authored-by: Miha Zupan <mihazupan.zupan1@gmail.com>

* Update src/libraries/System.Net.Requests/src/System/Net/FtpDataStream.cs

---------

Co-authored-by: Miha Zupan <mihazupan.zupan1@gmail.com>
---
 .../Common/src/System/Net/TlsStream.cs        | 106 ------------------
 .../src/System.Net.Mail.csproj                |   2 -
 .../src/System/Net/Mail/SmtpConnection.cs     |  78 ++++++++-----
 .../Unit/System.Net.Mail.Unit.Tests.csproj    |   6 +-
 .../src/System.Net.Requests.csproj            |   2 -
 .../src/System/Net/FtpControlStream.cs        |  95 ++++++++++------
 .../src/System/Net/FtpDataStream.cs           |  57 +++++-----
 .../src/System/Net/NetworkStreamWrapper.cs    |  69 ++++++------
 8 files changed, 179 insertions(+), 236 deletions(-)
 delete mode 100644 src/libraries/Common/src/System/Net/TlsStream.cs

diff --git a/src/libraries/Common/src/System/Net/TlsStream.cs b/src/libraries/Common/src/System/Net/TlsStream.cs
deleted file mode 100644
index 286d02688b38b..0000000000000
--- a/src/libraries/Common/src/System/Net/TlsStream.cs
+++ /dev/null
@@ -1,106 +0,0 @@
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-
-using System.Net.Security;
-using System.Net.Sockets;
-using System.Security.Authentication;
-using System.Security.Cryptography.X509Certificates;
-using System.Threading;
-using System.Threading.Tasks;
-
-#pragma warning disable SYSLIB0014 // ServicePointManager is obsolete
-// This type is used by FtpWebRequest (already obsolete) and SmtpClient (discouraged).
-
-namespace System.Net
-{
-    internal sealed class TlsStream : NetworkStream
-    {
-        private readonly SslStream _sslStream;
-        private readonly string _host;
-        private readonly X509CertificateCollection? _clientCertificates;
-
-        public TlsStream(NetworkStream stream, Socket socket, string host, X509CertificateCollection? clientCertificates) : base(socket)
-        {
-            _sslStream = new SslStream(stream, false, ServicePointManager.ServerCertificateValidationCallback);
-            _host = host;
-            _clientCertificates = clientCertificates;
-        }
-
-        public void AuthenticateAsClient()
-        {
-            _sslStream.AuthenticateAsClient(
-                _host,
-                _clientCertificates,
-                (SslProtocols)ServicePointManager.SecurityProtocol, // enums use same values
-                ServicePointManager.CheckCertificateRevocationList);
-        }
-
-        public IAsyncResult BeginAuthenticateAsClient(AsyncCallback? asyncCallback, object? state)
-        {
-            return _sslStream.BeginAuthenticateAsClient(
-                _host,
-                _clientCertificates,
-                (SslProtocols)ServicePointManager.SecurityProtocol, // enums use same values
-                ServicePointManager.CheckCertificateRevocationList,
-                asyncCallback,
-                state);
-        }
-
-        public void EndAuthenticateAsClient(IAsyncResult asyncResult)
-        {
-            _sslStream.EndAuthenticateAsClient(asyncResult);
-        }
-
-        public override void Write(byte[] buffer, int offset, int size)
-        {
-            _sslStream.Write(buffer, offset, size);
-        }
-
-        public override IAsyncResult BeginWrite(byte[] buffer, int offset, int size, AsyncCallback? callback, object? state)
-        {
-            return _sslStream.BeginWrite(buffer, offset, size, callback, state);
-        }
-
-        public override void EndWrite(IAsyncResult result)
-        {
-            _sslStream.EndWrite(result);
-        }
-
-        public override Task WriteAsync(byte[] buffer, int offset, int count, CancellationToken cancellationToken)
-        {
-            return _sslStream.WriteAsync(buffer, offset, count, cancellationToken);
-        }
-
-        public override ValueTask WriteAsync(ReadOnlyMemory<byte> buffer, CancellationToken cancellationToken = default(CancellationToken))
-        {
-            return _sslStream.WriteAsync(buffer, cancellationToken);
-        }
-
-        public override int Read(byte[] buffer, int offset, int size)
-        {
-            return _sslStream.Read(buffer, offset, size);
-        }
-
-        public override Task<int> ReadAsync(byte[] buffer, int offset, int count, CancellationToken cancellationToken)
-        {
-            return _sslStream.ReadAsync(buffer, offset, count, cancellationToken);
-        }
-
-        public override IAsyncResult BeginRead(byte[] buffer, int offset, int count, AsyncCallback? callback, object? state)
-        {
-            return _sslStream.BeginRead(buffer, offset, count, callback, state);
-        }
-
-        public override int EndRead(IAsyncResult asyncResult)
-        {
-            return _sslStream.EndRead(asyncResult);
-        }
-
-        public override void Close()
-        {
-            base.Close();
-
-            _sslStream?.Close();
-        }
-    }
-}
diff --git a/src/libraries/System.Net.Mail/src/System.Net.Mail.csproj b/src/libraries/System.Net.Mail/src/System.Net.Mail.csproj
index db37efc40b049..c07188adcd018 100644
--- a/src/libraries/System.Net.Mail/src/System.Net.Mail.csproj
+++ b/src/libraries/System.Net.Mail/src/System.Net.Mail.csproj
@@ -110,8 +110,6 @@
              Link="Common\System\Net\DebugSafeHandleZeroOrMinusOneIsInvalid.cs" />
     <Compile Include="$(CommonPath)System\Net\DebugSafeHandle.cs"
              Link="Common\System\Net\DebugSafeHandle.cs" />
-    <Compile Include="$(CommonPath)System\Net\TlsStream.cs"
-             Link="Common\System\Net\TlsStream.cs" />
     <Compile Include="$(CommonPath)System\Net\InternalException.cs"
              Link="Common\System\Net\InternalException.cs" />
     <Compile Include="$(CommonPath)System\Net\ExceptionCheck.cs"
diff --git a/src/libraries/System.Net.Mail/src/System/Net/Mail/SmtpConnection.cs b/src/libraries/System.Net.Mail/src/System/Net/Mail/SmtpConnection.cs
index bc2a2bcbfa0c3..3dfc0d9214df7 100644
--- a/src/libraries/System.Net.Mail/src/System/Net/Mail/SmtpConnection.cs
+++ b/src/libraries/System.Net.Mail/src/System/Net/Mail/SmtpConnection.cs
@@ -28,7 +28,7 @@ internal sealed partial class SmtpConnection
         private readonly EventHandler? _onCloseHandler;
         internal SmtpTransport? _parent;
         private readonly SmtpClient? _client;
-        private NetworkStream? _networkStream;
+        private Stream? _stream;
         internal TcpClient? _tcpClient;
         private SmtpReplyReaderFactory? _responseReader;
 
@@ -82,7 +82,7 @@ internal X509CertificateCollection? ClientCertificates
         internal void InitializeConnection(string host, int port)
         {
             _tcpClient!.Connect(host, port);
-            _networkStream = _tcpClient.GetStream();
+            _stream = _tcpClient.GetStream();
         }
 
         internal IAsyncResult BeginInitializeConnection(string host, int port, AsyncCallback? callback, object? state)
@@ -93,7 +93,7 @@ internal IAsyncResult BeginInitializeConnection(string host, int port, AsyncCall
         internal void EndInitializeConnection(IAsyncResult result)
         {
             _tcpClient!.EndConnect(result);
-            _networkStream = _tcpClient.GetStream();
+            _stream = _tcpClient.GetStream();
         }
 
         internal IAsyncResult BeginGetConnection(ContextAwareResult outerResult, AsyncCallback? callback, object? state, string host, int port)
@@ -105,18 +105,18 @@ internal IAsyncResult BeginGetConnection(ContextAwareResult outerResult, AsyncCa
 
         internal IAsyncResult BeginFlush(AsyncCallback? callback, object? state)
         {
-            return _networkStream!.BeginWrite(_bufferBuilder.GetBuffer(), 0, _bufferBuilder.Length, callback, state);
+            return _stream!.BeginWrite(_bufferBuilder.GetBuffer(), 0, _bufferBuilder.Length, callback, state);
         }
 
         internal void EndFlush(IAsyncResult result)
         {
-            _networkStream!.EndWrite(result);
+            _stream!.EndWrite(result);
             _bufferBuilder.Reset();
         }
 
         internal void Flush()
         {
-            _networkStream!.Write(_bufferBuilder.GetBuffer(), 0, _bufferBuilder.Length);
+            _stream!.Write(_bufferBuilder.GetBuffer(), 0, _bufferBuilder.Length);
             _bufferBuilder.Reset();
         }
 
@@ -150,7 +150,7 @@ private void ShutdownConnection(bool isAbort)
                             finally
                             {
                                 //free cbt buffer
-                                _networkStream?.Close();
+                                _stream?.Close();
                                 _tcpClient.Dispose();
                             }
                         }
@@ -190,7 +190,7 @@ internal void GetConnection(string host, int port)
             }
 
             InitializeConnection(host, port);
-            _responseReader = new SmtpReplyReaderFactory(_networkStream!);
+            _responseReader = new SmtpReplyReaderFactory(_stream!);
 
             LineInfo info = _responseReader.GetNextReplyReader().ReadLine();
 
@@ -225,17 +225,25 @@ internal void GetConnection(string host, int port)
                 if (!_serverSupportsStartTls)
                 {
                     // Either TLS is already established or server does not support TLS
-                    if (!(_networkStream is TlsStream))
+                    if (!(_stream is SslStream))
                     {
                         throw new SmtpException(SR.MailServerDoesNotSupportStartTls);
                     }
                 }
 
                 StartTlsCommand.Send(this);
-                TlsStream tlsStream = new TlsStream(_networkStream!, _tcpClient!.Client, host, _clientCertificates);
-                tlsStream.AuthenticateAsClient();
-                _networkStream = tlsStream;
-                _responseReader = new SmtpReplyReaderFactory(_networkStream);
+#pragma warning disable SYSLIB0014 // ServicePointManager is obsolete
+                SslStream sslStream = new SslStream(_stream!, false, ServicePointManager.ServerCertificateValidationCallback);
+
+                sslStream.AuthenticateAsClient(
+                    host,
+                    _clientCertificates,
+                    (SslProtocols)ServicePointManager.SecurityProtocol, // enums use same values
+                    ServicePointManager.CheckCertificateRevocationList);
+#pragma warning restore SYSLIB0014 // ServicePointManager is obsolete
+
+                _stream = sslStream;
+                _responseReader = new SmtpReplyReaderFactory(_stream);
 
                 // According to RFC 3207: The client SHOULD send an EHLO command
                 // as the first command after a successful TLS negotiation.
@@ -362,7 +370,7 @@ internal static void EndGetConnection(IAsyncResult result)
 
         internal Stream GetClosableStream()
         {
-            ClosableStream cs = new ClosableStream(_networkStream!, _onCloseHandler);
+            ClosableStream cs = new ClosableStream(_stream!, _onCloseHandler);
             _isStreamOpen = true;
             return cs;
         }
@@ -460,7 +468,7 @@ private static void InitializeConnectionCallback(IAsyncResult result)
 
             private void Handshake()
             {
-                _connection._responseReader = new SmtpReplyReaderFactory(_connection._networkStream!);
+                _connection._responseReader = new SmtpReplyReaderFactory(_connection._stream!);
 
                 SmtpReplyReader reader = _connection.Reader!.GetNextReplyReader();
                 IAsyncResult result = reader.BeginReadLine(s_handshakeCallback, this);
@@ -533,10 +541,10 @@ private bool SendEHello()
                 {
                     _connection._extensions = EHelloCommand.EndSend(result);
                     _connection.ParseExtensions(_connection._extensions);
-                    // If we already have a TlsStream, this is the second EHLO cmd
+                    // If we already have a SslStream, this is the second EHLO cmd
                     // that we sent after TLS handshake compelted. So skip TLS and
                     // continue with Authenticate.
-                    if (_connection._networkStream is TlsStream)
+                    if (_connection._stream is SslStream)
                     {
                         Authenticate();
                         return true;
@@ -547,7 +555,7 @@ private bool SendEHello()
                         if (!_connection._serverSupportsStartTls)
                         {
                             // Either TLS is already established or server does not support TLS
-                            if (!(_connection._networkStream is TlsStream))
+                            if (!(_connection._stream is SslStream))
                             {
                                 throw new SmtpException(SR.MailServerDoesNotSupportStartTls);
                             }
@@ -579,7 +587,7 @@ private static void SendEHelloCallback(IAsyncResult result)
                             // If we already have a SSlStream, this is the second EHLO cmd
                             // that we sent after TLS handshake compelted. So skip TLS and
                             // continue with Authenticate.
-                            if (thisPtr._connection._networkStream is TlsStream)
+                            if (thisPtr._connection._stream is SslStream)
                             {
                                 thisPtr.Authenticate();
                                 return;
@@ -606,7 +614,7 @@ private static void SendEHelloCallback(IAsyncResult result)
                             if (!thisPtr._connection._serverSupportsStartTls)
                             {
                                 // Either TLS is already established or server does not support TLS
-                                if (!(thisPtr._connection._networkStream is TlsStream))
+                                if (!(thisPtr._connection._stream is SslStream))
                                 {
                                     throw new SmtpException(SR.MailServerDoesNotSupportStartTls);
                                 }
@@ -663,7 +671,7 @@ private bool SendStartTls()
                 if (result.CompletedSynchronously)
                 {
                     StartTlsCommand.EndSend(result);
-                    TlsStreamAuthenticate();
+                    SslStreamAuthenticate();
                     return true;
                 }
                 return false;
@@ -677,7 +685,7 @@ private static void SendStartTlsCallback(IAsyncResult result)
                     try
                     {
                         StartTlsCommand.EndSend(result);
-                        thisPtr.TlsStreamAuthenticate();
+                        thisPtr.SslStreamAuthenticate();
                     }
                     catch (Exception e)
                     {
@@ -686,29 +694,39 @@ private static void SendStartTlsCallback(IAsyncResult result)
                 }
             }
 
-            private bool TlsStreamAuthenticate()
+            private bool SslStreamAuthenticate()
             {
-                _connection._networkStream = new TlsStream(_connection._networkStream!, _connection._tcpClient!.Client, _host, _connection._clientCertificates);
-                IAsyncResult result = ((TlsStream)_connection._networkStream).BeginAuthenticateAsClient(TlsStreamAuthenticateCallback, this);
+#pragma warning disable SYSLIB0014 // ServicePointManager is obsolete
+                _connection._stream = new SslStream(_connection._stream!, false, ServicePointManager.ServerCertificateValidationCallback);
+
+                IAsyncResult result = ((SslStream)_connection._stream).BeginAuthenticateAsClient(
+                    _host,
+                    _connection._clientCertificates,
+                    (SslProtocols)ServicePointManager.SecurityProtocol, // enums use same values
+                    ServicePointManager.CheckCertificateRevocationList,
+                    SslStreamAuthenticateCallback,
+                    this);
+#pragma warning restore SYSLIB0014 // ServicePointManager is obsolete
+
                 if (result.CompletedSynchronously)
                 {
-                    ((TlsStream)_connection._networkStream).EndAuthenticateAsClient(result);
-                    _connection._responseReader = new SmtpReplyReaderFactory(_connection._networkStream);
+                    ((SslStream)_connection._stream).EndAuthenticateAsClient(result);
+                    _connection._responseReader = new SmtpReplyReaderFactory(_connection._stream);
                     SendEHello();
                     return true;
                 }
                 return false;
             }
 
-            private static void TlsStreamAuthenticateCallback(IAsyncResult result)
+            private static void SslStreamAuthenticateCallback(IAsyncResult result)
             {
                 if (!result.CompletedSynchronously)
                 {
                     ConnectAndHandshakeAsyncResult thisPtr = (ConnectAndHandshakeAsyncResult)result.AsyncState!;
                     try
                     {
-                        (thisPtr._connection._networkStream as TlsStream)!.EndAuthenticateAsClient(result);
-                        thisPtr._connection._responseReader = new SmtpReplyReaderFactory(thisPtr._connection._networkStream);
+                        (thisPtr._connection._stream as SslStream)!.EndAuthenticateAsClient(result);
+                        thisPtr._connection._responseReader = new SmtpReplyReaderFactory(thisPtr._connection._stream);
                         thisPtr.SendEHello();
                     }
                     catch (Exception e)
diff --git a/src/libraries/System.Net.Mail/tests/Unit/System.Net.Mail.Unit.Tests.csproj b/src/libraries/System.Net.Mail/tests/Unit/System.Net.Mail.Unit.Tests.csproj
index f5e3e0f1eb4e1..888f2e4754131 100644
--- a/src/libraries/System.Net.Mail/tests/Unit/System.Net.Mail.Unit.Tests.csproj
+++ b/src/libraries/System.Net.Mail/tests/Unit/System.Net.Mail.Unit.Tests.csproj
@@ -112,8 +112,6 @@
              Link="ProductionCode\BufferBuilder.cs" />
     <Compile Include="$(CommonPath)DisableRuntimeMarshalling.cs"
              Link="Common\DisableRuntimeMarshalling.cs" />
-    <Compile Include="$(CommonPath)System\Net\TlsStream.cs"
-             Link="Common\System\Net\TlsStream.cs" />
     <Compile Include="$(CommonPath)System\Net\InternalException.cs"
              Link="Common\System\Net\InternalException.cs" />
     <Compile Include="$(CommonPath)System\Net\LazyAsyncResult.cs"
@@ -140,8 +138,8 @@
              Link="Common\System\HexConverter.cs" />
     <Compile Include="$(CommonPath)System\Obsoletions.cs"
              Link="Common\System\Obsoletions.cs" />
-    <Compile Include="$(CommonPath)System\Text\ValueStringBuilder.cs" 
-             Link="Common\System\Text\ValueStringBuilder.cs" /> 
+    <Compile Include="$(CommonPath)System\Text\ValueStringBuilder.cs"
+             Link="Common\System\Text\ValueStringBuilder.cs" />
   </ItemGroup>
   <!-- Unix specific files -->
   <ItemGroup Condition="'$(TargetPlatformIdentifier)' == 'unix'">
diff --git a/src/libraries/System.Net.Requests/src/System.Net.Requests.csproj b/src/libraries/System.Net.Requests/src/System.Net.Requests.csproj
index 46bda299d9a64..9d879b250d948 100644
--- a/src/libraries/System.Net.Requests/src/System.Net.Requests.csproj
+++ b/src/libraries/System.Net.Requests/src/System.Net.Requests.csproj
@@ -81,8 +81,6 @@
              Link="Common\System\Net\ContextAwareResult.cs" />
     <Compile Include="$(CommonPath)System\Net\ExceptionCheck.cs"
              Link="Common\System\Net\ExceptionCheck.cs" />
-    <Compile Include="$(CommonPath)System\Net\TlsStream.cs"
-             Link="Common\System\Net\TlsStream.cs" />
     <Compile Include="$(CommonPath)System\Net\SecurityProtocol.cs"
              Link="Common\System\Net\SecurityProtocol.cs" />
     <Compile Include="$(CommonPath)System\NotImplemented.cs"
diff --git a/src/libraries/System.Net.Requests/src/System/Net/FtpControlStream.cs b/src/libraries/System.Net.Requests/src/System/Net/FtpControlStream.cs
index ffba72c9315d2..0834714367c82 100644
--- a/src/libraries/System.Net.Requests/src/System/Net/FtpControlStream.cs
+++ b/src/libraries/System.Net.Requests/src/System/Net/FtpControlStream.cs
@@ -6,6 +6,8 @@
 using System.Globalization;
 using System.IO;
 using System.Net.Sockets;
+using System.Net.Security;
+using System.Security.Authentication;
 using System.Text;
 
 namespace System.Net
@@ -27,8 +29,9 @@ internal enum FtpLoginState : byte
     internal sealed class FtpControlStream : CommandStream
     {
         private Socket? _dataSocket;
+        private NetworkStream? _dataStream;
         private IPEndPoint? _passiveEndPoint;
-        private TlsStream? _tlsStream;
+        private SslStream? _sslStream;
 
         private StringBuilder? _bannerMessage;
         private StringBuilder? _welcomeMessage;
@@ -147,7 +150,7 @@ private static void SSLHandshakeCallback(IAsyncResult asyncResult)
             FtpControlStream connection = (FtpControlStream)asyncResult.AsyncState!;
             try
             {
-                connection._tlsStream!.EndAuthenticateAsClient(asyncResult);
+                connection._sslStream!.EndAuthenticateAsClient(asyncResult);
                 connection.ContinueCommandPipeline();
             }
             catch (Exception e)
@@ -165,38 +168,51 @@ private PipelineInstruction QueueOrCreateFtpDataStream(ref Stream? stream)
                 throw new InternalException();
 
             //
-            // Re-entered pipeline with completed read on the TlsStream
+            // Re-entered pipeline with completed read on the SslStream
             //
-            if (_tlsStream != null)
+            if (_sslStream != null)
             {
-                stream = new FtpDataStream(_tlsStream, (FtpWebRequest)_request!, IsFtpDataStreamWriteable());
-                _tlsStream = null;
+                Debug.Assert(_dataStream != null, "Data stream is null");
+
+                stream = new FtpDataStream(_sslStream, _dataStream!, (FtpWebRequest)_request!, IsFtpDataStreamWriteable());
+                _sslStream = null;
                 return PipelineInstruction.GiveStream;
             }
 
-            NetworkStream networkStream = new NetworkStream(_dataSocket, true);
+            _dataStream = new NetworkStream(_dataSocket, true);
 
             if (UsingSecureStream)
             {
                 FtpWebRequest request = (FtpWebRequest)_request!;
 
-                TlsStream tlsStream = new TlsStream(networkStream, _dataSocket, request.RequestUri.Host, request.ClientCertificates);
-                networkStream = tlsStream;
+#pragma warning disable SYSLIB0014 // ServicePointManager is obsolete
+                SslStream sslStream = new SslStream(_dataStream, false, ServicePointManager.ServerCertificateValidationCallback);
 
                 if (_isAsync)
                 {
-                    _tlsStream = tlsStream;
-
-                    tlsStream.BeginAuthenticateAsClient(s_SSLHandshakeCallback, this);
+                    _sslStream = sslStream;
+
+                    sslStream.BeginAuthenticateAsClient(
+                        request.RequestUri.Host,
+                        request.ClientCertificates,
+                        (SslProtocols)ServicePointManager.SecurityProtocol, // enums use same values
+                        ServicePointManager.CheckCertificateRevocationList,
+                        s_SSLHandshakeCallback,
+                        this);
                     return PipelineInstruction.Pause;
                 }
                 else
                 {
-                    tlsStream.AuthenticateAsClient();
+                    sslStream.AuthenticateAsClient(
+                        request.RequestUri.Host,
+                        request.ClientCertificates,
+                        (SslProtocols)ServicePointManager.SecurityProtocol, // enums use same values
+                        ServicePointManager.CheckCertificateRevocationList);
                 }
+#pragma warning restore SYSLIB0014 // ServicePointManager is obsolete
             }
 
-            stream = new FtpDataStream(networkStream, (FtpWebRequest)_request!, IsFtpDataStreamWriteable());
+            stream = new FtpDataStream((Stream?)_sslStream ?? _dataStream, _dataStream, (FtpWebRequest)_request!, IsFtpDataStreamWriteable());
             return PipelineInstruction.GiveStream;
         }
 
@@ -211,7 +227,8 @@ protected override void ClearState()
 
             _dataSocket = null;
             _passiveEndPoint = null;
-            _tlsStream = null;
+            _sslStream = null;
+            _dataStream = null;
 
             base.ClearState();
         }
@@ -370,39 +387,51 @@ protected override PipelineInstruction PipelineCallback(PipelineEntry? entry, Re
             // OR set us up for SSL/TLS, after this we'll be writing securely
             else if (status == FtpStatusCode.ServerWantsSecureSession)
             {
-                // If NetworkStream is a TlsStream, then this must be in the async callback
+                // If NetworkStream is a SslStream, then this must be in the async callback
                 // from completing the SSL handshake.
                 // So just let the pipeline continue.
-                if (!(NetworkStream is TlsStream))
+                if (!(Stream is SslStream))
                 {
                     FtpWebRequest request = (FtpWebRequest)_request!;
-                    TlsStream tlsStream = new TlsStream(NetworkStream, Socket, request.RequestUri.Host, request.ClientCertificates);
+#pragma warning disable SYSLIB0014 // ServicePointManager is obsolete
+                    SslStream sslStream = new SslStream(Stream, false, ServicePointManager.ServerCertificateValidationCallback);
 
                     if (_isAsync)
                     {
-                        tlsStream.BeginAuthenticateAsClient(ar =>
-                        {
-                            try
-                            {
-                                tlsStream.EndAuthenticateAsClient(ar);
-                                NetworkStream = tlsStream;
-                                this.ContinueCommandPipeline();
-                            }
-                            catch (Exception e)
+                        sslStream.BeginAuthenticateAsClient(
+                            request.RequestUri.Host,
+                            request.ClientCertificates,
+                            (SslProtocols)ServicePointManager.SecurityProtocol, // enums use same values
+                            ServicePointManager.CheckCertificateRevocationList,
+                            ar =>
                             {
-                                this.CloseSocket();
-                                this.InvokeRequestCallback(e);
-                            }
-                        }, null);
+                                try
+                                {
+                                    sslStream.EndAuthenticateAsClient(ar);
+                                    Stream = sslStream;
+                                    this.ContinueCommandPipeline();
+                                }
+                                catch (Exception e)
+                                {
+                                    this.CloseSocket();
+                                    this.InvokeRequestCallback(e);
+                                }
+                            },
+                            null);
 
                         return PipelineInstruction.Pause;
                     }
                     else
                     {
-                        tlsStream.AuthenticateAsClient();
-                        NetworkStream = tlsStream;
+                        sslStream.AuthenticateAsClient(
+                            request.RequestUri.Host,
+                            request.ClientCertificates,
+                            (SslProtocols)ServicePointManager.SecurityProtocol, // enums use same values
+                            ServicePointManager.CheckCertificateRevocationList);
+                        Stream = sslStream;
                     }
                 }
+#pragma warning restore SYSLIB0014 // ServicePointManager is obsolete
             }
             // OR parse out the file size or file time, usually a result of sending SIZE/MDTM commands
             else if (status == FtpStatusCode.FileStatus)
diff --git a/src/libraries/System.Net.Requests/src/System/Net/FtpDataStream.cs b/src/libraries/System.Net.Requests/src/System/Net/FtpDataStream.cs
index 9cd8b06a61042..129052a971307 100644
--- a/src/libraries/System.Net.Requests/src/System/Net/FtpDataStream.cs
+++ b/src/libraries/System.Net.Requests/src/System/Net/FtpDataStream.cs
@@ -2,6 +2,7 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using System.IO;
+using System.Net.Security;
 using System.Net.Sockets;
 using System.Runtime.ExceptionServices;
 
@@ -15,7 +16,8 @@ namespace System.Net
     internal sealed class FtpDataStream : Stream, ICloseEx
     {
         private readonly FtpWebRequest _request;
-        private readonly NetworkStream _networkStream;
+        private readonly Stream _stream;
+        private readonly NetworkStream _originalStream;
         private bool _writeable;
         private bool _readable;
         private bool _isFullyRead;
@@ -23,7 +25,7 @@ internal sealed class FtpDataStream : Stream, ICloseEx
 
         private const int DefaultCloseTimeout = -1;
 
-        internal FtpDataStream(NetworkStream networkStream, FtpWebRequest request, TriState writeOnly)
+        internal FtpDataStream(Stream stream, NetworkStream originalStream, FtpWebRequest request, TriState writeOnly)
         {
             if (NetEventSource.Log.IsEnabled()) NetEventSource.Info(this);
 
@@ -37,7 +39,8 @@ internal FtpDataStream(NetworkStream networkStream, FtpWebRequest request, TriSt
             {
                 _writeable = false;
             }
-            _networkStream = networkStream;
+            _stream = stream;
+            _originalStream = originalStream;
             _request = request;
         }
 
@@ -75,9 +78,9 @@ void ICloseEx.CloseEx(CloseExState closeState)
                 try
                 {
                     if ((closeState & CloseExState.Abort) == 0)
-                        _networkStream.Close(DefaultCloseTimeout);
+                        _originalStream.Close(DefaultCloseTimeout);
                     else
-                        _networkStream.Close(0);
+                        _originalStream.Close(0);
                 }
                 finally
                 {
@@ -125,7 +128,7 @@ public override bool CanSeek
         {
             get
             {
-                return _networkStream.CanSeek;
+                return _stream.CanSeek;
             }
         }
 
@@ -141,7 +144,7 @@ public override long Length
         {
             get
             {
-                return _networkStream.Length;
+                return _stream.Length;
             }
         }
 
@@ -149,12 +152,12 @@ public override long Position
         {
             get
             {
-                return _networkStream.Position;
+                return _stream.Position;
             }
 
             set
             {
-                _networkStream.Position = value;
+                _stream.Position = value;
             }
         }
 
@@ -163,7 +166,7 @@ public override long Seek(long offset, SeekOrigin origin)
             CheckError();
             try
             {
-                return _networkStream.Seek(offset, origin);
+                return _stream.Seek(offset, origin);
             }
             catch
             {
@@ -178,7 +181,7 @@ public override int Read(byte[] buffer, int offset, int size)
             int readBytes;
             try
             {
-                readBytes = _networkStream.Read(buffer, offset, size);
+                readBytes = _stream.Read(buffer, offset, size);
             }
             catch
             {
@@ -199,7 +202,7 @@ public override int Read(Span<byte> buffer)
             int readBytes;
             try
             {
-                readBytes = _networkStream.Read(buffer);
+                readBytes = _stream.Read(buffer);
             }
             catch
             {
@@ -219,7 +222,7 @@ public override void Write(byte[] buffer, int offset, int size)
             CheckError();
             try
             {
-                _networkStream.Write(buffer, offset, size);
+                _stream.Write(buffer, offset, size);
             }
             catch
             {
@@ -233,7 +236,7 @@ public override void Write(ReadOnlySpan<byte> buffer)
             CheckError();
             try
             {
-                _networkStream.Write(buffer);
+                _stream.Write(buffer);
             }
             catch
             {
@@ -249,7 +252,7 @@ private void AsyncReadCallback(IAsyncResult ar)
             {
                 try
                 {
-                    int readBytes = _networkStream.EndRead(ar);
+                    int readBytes = _stream.EndRead(ar);
                     if (readBytes == 0)
                     {
                         _isFullyRead = true;
@@ -273,7 +276,7 @@ public override IAsyncResult BeginRead(byte[] buffer, int offset, int size, Asyn
             LazyAsyncResult userResult = new LazyAsyncResult(this, state, callback);
             try
             {
-                _networkStream.BeginRead(buffer, offset, size, new AsyncCallback(AsyncReadCallback), userResult);
+                _stream.BeginRead(buffer, offset, size, new AsyncCallback(AsyncReadCallback), userResult);
             }
             catch
             {
@@ -307,7 +310,7 @@ public override IAsyncResult BeginWrite(byte[] buffer, int offset, int size, Asy
             CheckError();
             try
             {
-                return _networkStream.BeginWrite(buffer, offset, size, callback, state);
+                return _stream.BeginWrite(buffer, offset, size, callback, state);
             }
             catch
             {
@@ -320,7 +323,7 @@ public override void EndWrite(IAsyncResult asyncResult)
         {
             try
             {
-                _networkStream.EndWrite(asyncResult);
+                _stream.EndWrite(asyncResult);
             }
             finally
             {
@@ -330,19 +333,19 @@ public override void EndWrite(IAsyncResult asyncResult)
 
         public override void Flush()
         {
-            _networkStream.Flush();
+            _stream.Flush();
         }
 
         public override void SetLength(long value)
         {
-            _networkStream.SetLength(value);
+            _stream.SetLength(value);
         }
 
         public override bool CanTimeout
         {
             get
             {
-                return _networkStream.CanTimeout;
+                return _stream.CanTimeout;
             }
         }
 
@@ -350,11 +353,11 @@ public override int ReadTimeout
         {
             get
             {
-                return _networkStream.ReadTimeout;
+                return _stream.ReadTimeout;
             }
             set
             {
-                _networkStream.ReadTimeout = value;
+                _stream.ReadTimeout = value;
             }
         }
 
@@ -362,18 +365,18 @@ public override int WriteTimeout
         {
             get
             {
-                return _networkStream.WriteTimeout;
+                return _stream.WriteTimeout;
             }
             set
             {
-                _networkStream.WriteTimeout = value;
+                _stream.WriteTimeout = value;
             }
         }
 
         internal void SetSocketTimeoutOption(int timeout)
         {
-            _networkStream.ReadTimeout = timeout;
-            _networkStream.WriteTimeout = timeout;
+            _stream.ReadTimeout = timeout;
+            _stream.WriteTimeout = timeout;
         }
     }
 }
diff --git a/src/libraries/System.Net.Requests/src/System/Net/NetworkStreamWrapper.cs b/src/libraries/System.Net.Requests/src/System/Net/NetworkStreamWrapper.cs
index 134c773d74a73..3d8b4e2604fef 100644
--- a/src/libraries/System.Net.Requests/src/System/Net/NetworkStreamWrapper.cs
+++ b/src/libraries/System.Net.Requests/src/System/Net/NetworkStreamWrapper.cs
@@ -1,7 +1,9 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System.Diagnostics;
 using System.IO;
+using System.Net.Security;
 using System.Net.Sockets;
 using System.Threading;
 using System.Threading.Tasks;
@@ -11,6 +13,7 @@ namespace System.Net
     internal class NetworkStreamWrapper : Stream
     {
         private NetworkStream _networkStream;
+        private SslStream? _sslStream;
 
         internal NetworkStreamWrapper(NetworkStream stream)
         {
@@ -21,7 +24,7 @@ protected bool UsingSecureStream
         {
             get
             {
-                return (_networkStream is TlsStream);
+                return _sslStream != null;
             }
         }
 
@@ -41,15 +44,17 @@ internal Socket Socket
             }
         }
 
-        internal NetworkStream NetworkStream
+        internal Stream Stream
         {
             get
             {
-                return _networkStream;
+                return (Stream?)_sslStream ?? _networkStream;
             }
             set
             {
-                _networkStream = value;
+                // The setter is only used to upgrade to secure connection by wrapping the _networkStream
+                Debug.Assert(value is SslStream, "Expected SslStream");
+                _sslStream = (SslStream)value;
             }
         }
 
@@ -57,7 +62,7 @@ public override bool CanRead
         {
             get
             {
-                return _networkStream.CanRead;
+                return Stream.CanRead;
             }
         }
 
@@ -65,7 +70,7 @@ public override bool CanSeek
         {
             get
             {
-                return _networkStream.CanSeek;
+                return Stream.CanSeek;
             }
         }
 
@@ -73,7 +78,7 @@ public override bool CanWrite
         {
             get
             {
-                return _networkStream.CanWrite;
+                return Stream.CanWrite;
             }
         }
 
@@ -81,7 +86,7 @@ public override bool CanTimeout
         {
             get
             {
-                return _networkStream.CanTimeout;
+                return Stream.CanTimeout;
             }
         }
 
@@ -89,11 +94,11 @@ public override int ReadTimeout
         {
             get
             {
-                return _networkStream.ReadTimeout;
+                return Stream.ReadTimeout;
             }
             set
             {
-                _networkStream.ReadTimeout = value;
+                Stream.ReadTimeout = value;
             }
         }
 
@@ -101,11 +106,11 @@ public override int WriteTimeout
         {
             get
             {
-                return _networkStream.WriteTimeout;
+                return Stream.WriteTimeout;
             }
             set
             {
-                _networkStream.WriteTimeout = value;
+                Stream.WriteTimeout = value;
             }
         }
 
@@ -113,7 +118,7 @@ public override long Length
         {
             get
             {
-                return _networkStream.Length;
+                return Stream.Length;
             }
         }
 
@@ -121,27 +126,27 @@ public override long Position
         {
             get
             {
-                return _networkStream.Position;
+                return Stream.Position;
             }
             set
             {
-                _networkStream.Position = value;
+                Stream.Position = value;
             }
         }
 
         public override long Seek(long offset, SeekOrigin origin)
         {
-            return _networkStream.Seek(offset, origin);
+            return Stream.Seek(offset, origin);
         }
 
         public override int Read(byte[] buffer, int offset, int size)
         {
-            return _networkStream.Read(buffer, offset, size);
+            return Stream.Read(buffer, offset, size);
         }
 
         public override void Write(byte[] buffer, int offset, int size)
         {
-            _networkStream.Write(buffer, offset, size);
+            Stream.Write(buffer, offset, size);
         }
 
         protected override void Dispose(bool disposing)
@@ -162,7 +167,7 @@ protected override void Dispose(bool disposing)
 
         internal void CloseSocket()
         {
-            _networkStream.Close();
+            Stream.Close();
         }
 
         public void Close(int timeout)
@@ -172,63 +177,63 @@ public void Close(int timeout)
 
         public override IAsyncResult BeginRead(byte[] buffer, int offset, int size, AsyncCallback? callback, object? state)
         {
-            return _networkStream.BeginRead(buffer, offset, size, callback, state);
+            return Stream.BeginRead(buffer, offset, size, callback, state);
         }
 
         public override int EndRead(IAsyncResult asyncResult)
         {
-            return _networkStream.EndRead(asyncResult);
+            return Stream.EndRead(asyncResult);
         }
 
         public override Task<int> ReadAsync(byte[] buffer, int offset, int count, CancellationToken cancellationToken)
         {
-            return _networkStream.ReadAsync(buffer, offset, count, cancellationToken);
+            return Stream.ReadAsync(buffer, offset, count, cancellationToken);
         }
 
         public override ValueTask<int> ReadAsync(Memory<byte> buffer, CancellationToken cancellationToken = default)
         {
-            return _networkStream.ReadAsync(buffer, cancellationToken);
+            return Stream.ReadAsync(buffer, cancellationToken);
         }
 
         public override IAsyncResult BeginWrite(byte[] buffer, int offset, int size, AsyncCallback? callback, object? state)
         {
-            return _networkStream.BeginWrite(buffer, offset, size, callback, state);
+            return Stream.BeginWrite(buffer, offset, size, callback, state);
         }
 
         public override void EndWrite(IAsyncResult asyncResult)
         {
-            _networkStream.EndWrite(asyncResult);
+            Stream.EndWrite(asyncResult);
         }
 
         public override Task WriteAsync(byte[] buffer, int offset, int count, CancellationToken cancellationToken)
         {
-            return _networkStream.WriteAsync(buffer, offset, count, cancellationToken);
+            return Stream.WriteAsync(buffer, offset, count, cancellationToken);
         }
 
         public override ValueTask WriteAsync(ReadOnlyMemory<byte> buffer, CancellationToken cancellationToken = default)
         {
-            return _networkStream.WriteAsync(buffer, cancellationToken);
+            return Stream.WriteAsync(buffer, cancellationToken);
         }
 
         public override void Flush()
         {
-            _networkStream.Flush();
+            Stream.Flush();
         }
 
         public override Task FlushAsync(CancellationToken cancellationToken)
         {
-            return _networkStream.FlushAsync(cancellationToken);
+            return Stream.FlushAsync(cancellationToken);
         }
 
         public override void SetLength(long value)
         {
-            _networkStream.SetLength(value);
+            Stream.SetLength(value);
         }
 
         internal void SetSocketTimeoutOption(int timeout)
         {
-            _networkStream.ReadTimeout = timeout;
-            _networkStream.WriteTimeout = timeout;
+            Stream.ReadTimeout = timeout;
+            Stream.WriteTimeout = timeout;
         }
     }
 } // System.Net