Reputation: 2241
Changing security protocol per request (HttpClient)
I've got a Web API that must communicate with a few different services. Currently, I have the Web API set to use the following security protocol:
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
When the API calls out to another service via HttpClient (say like Twitter), it will use that protocol. At the same time however, another request may come in to access something from the cloud, which for whatever reason, currently requires TLS (not TLS 1.2). The request to the cloud, before firing out, sets the security protocol again:
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
The problem I'm running into is when two separate and unique requests come in, one for Twitter and one for the cloud, the security protocol could switch over to the "wrong one" before it's sent out, causing the request to fail.
Is there a way to set the security protocol on the HttpClient per request so that I'm not swapping around a setting in some singleton somewhere?
Upvotes: 25
Views: 24922
Answers (2)
Reputation: 357
You don't need to set it.
You can use:
using System.Net;
ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12;
Additional Notes:
- Needed for .Net 4.5 because Tls12 is not a default protocol.
- Need to write the above code only once within the application. (For example within Global.asax > Application_Start within Web application or equivalent in Winforms application)
- For .Net 4.6 and above, Tls12 is a default protocol so it is not needed
Upvotes: 24
Reputation: 171188
There seems to be no way to do this. The SecurityProtocol property is only being used inside the internal TlsStream class in one place:
TlsStream seems to back all the internal TLS connections such as HTTP, FTP and SMTP.
I had hoped that ServicePoint allows you to configure this. For many settings ServicePointManager only provides the default. That hope was unfounded.
So this is quite strong evidence that this is not possible. It's no proof, though.
What should you do? I'd switch out the HTTP client library for the odd server you are talking to. HTTP is not a particularly complicated protocol. I'm sure there's some other implementation available.
Alternatively, use a proxy that terminates the HTTPS connection on your own server. .NET then only deals with HTTP.
Upvotes: 5
Related Questions
- Set the SecurityProtocol (Ssl3 or TLS) on the .net HttpWebRequest per request
- Make Https call using HttpClient
- How to specify SSL protocol to use for WebClient class
- How could an ASP.NET application enforce HTTPS on a per-API basis?
- How to ignore SSL policy to perform a HTTPClient request?
- .NET https requests with different security protocols across threads
- Force WebClient to use SSL
- How to invoke SSL enabled Web Api?
- How can I implement Https/SSL connection on Asp.Net Web API?
- C# WebClient HTTPS Authentication Policy