ServicePointManager.SecurityProtocol Mutation in HttpService breaks TLS Negotiation & WCF/SSPI Interop

[orial-TN]

The Braintree .NET SDK unconditionally mutates the process-wide static ServicePointManager.SecurityProtocol to include Tls12 on every request. This breaks WCF/SSPI endpoints and any .NET 4.7+ code that relies on OS-managed TLS negotiation (SystemDefault). This is a global side effect that can break other libraries

1. Use Braintree .NET SDK in a .NET 4.7.2+ app.
2. Make any Braintree API call.
3. Observe: ServicePointManager.SecurityProtocol is changed from SystemDefault (0) to Tls12 (3072).
4. Subsequent WCF/SSPI (e.g., wsHttpBinding with client cert) or other libraries relying on SystemDefault fail with "do not possess a common algorithm" or TLS negotiation errors

Why This Is Critical:
.NET 4.7+ default to secure protocols (SystemDefault) and let the OS negotiate the best TLS version.
Mutating SecurityProtocol globally breaks all other secure connections in the process, not just Braintree.
PCI compliance is not at risk: .NET 4.7+already negotiate TLS 1.2+ by default.

What Should Be Fixed:
Only set ServicePointManager.SecurityProtocol |= Tls12 on .NET Framework 4.5.2–4.6.1, where it is needed.
On .NET 4.7+ do not mutate SecurityProtocol let the OS manage it.

The code and file
const int SecurityProtocolTypeTls12 = 3072; ServicePointManager.SecurityProtocol = ServicePointManager.SecurityProtocol | ((SecurityProtocolType) SecurityProtocolTypeTls12);
https://github.com/braintree/braintree_dotnet/blob/master/src/Braintree/HttpService.cs

[nalshapub]

Thank you for raising this issue, we'll take it back and investigate.