How to Check if a WPF based Thick Client application uses Transport Layer Security(TLS) or not

Question

We have a Windows based Desktop Thick Client App with front end built over WPF+Telerik and backend communication using WCF Web Services.

Right now the communication is happening over SSL3.0

Due to recent security issues with SSL3.0 it has been decided to use TLS 1.2 or TLS 1.1 on the server side to force all communication via TLS only.

We have tried verifying the underlying Web Service communication using Fiddler and Wireshark. We can see that the 200 "Tunnel to" requests are happening over TLS.

But is there any other way to cross check if TLS is being used explicitly and implicitly by the ThickClient App for the WebService Requests...?

Windows has pushed the TLS Hotfix in December 15 2014 Windows Update and the same is installed on the Windows 2008 R2 App Servers. SSL3.0 is not disabled yet as a fallback option but explicitly TLS is not enabled. But MS KB articles say TLS will take precedence(TLS1.2>TLS1.1>TLS1.0>SSL3.0)

Security Update(KnowledgeBase Article KB2992611 followed by another update KB3018238) was pushed on December 9th 2014 and the same has been installed via HP Monthly Patching on December 15th 2014 
Please check the following links for more details on the Security Patches and their impact. Official Microsoft Updates on the Patch for SSLv3.0 Vulnerability https://support2.microsoft.com/kb/2992611/en-us Link2: technet.microsoft.com/en-us/library/security/ms14-066.aspx

More information on Support for TLS Link3: blogs.msdn.com/b/kaushal/archive/2011/10/02/support-for-ssl-tls-protocols-on-windows.aspx

Problems Identified with initial Patch KB2992611 and immediate fix via KB3018238 Link4 infoworld.com/article/2848574/operating-systems/microsoft-botches-kb-2992611-schannel-patch-tls-alert-code-40-slow-sql-server-block-iis-sites.html

Answer 1

If your intention is to test if TLS has been enabled on the server/can be negotiated, then you could write some probing code with TcpClient and SSLStream to force negotation of TLS, and see if it was actually negotiated. See:

• see SendMessageToServer in https://www.simple-talk.com/dotnet/.net-framework/tlsssl-and-.net-framework-4.0/

• How to create SSLStream which uses Ssl3 instead of Tls (change this to force TLS)

If you want to prevent SSL fallback on all "https" requests issued by any .NET code, then set it using this:

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

Note: applies it to the AppDomain, and so would affect any HttpWebRequests done in same AppDomain.

• How do I disable SSL fallback and use only TLS for outbound connections in .NET? (Poodle mitigation)

• Setting per request value for ServicePointManager.SecurityProtocol

• Set the SecurityProtocol (Ssl3 or TLS) on the .net HttpWebRequest per request

If you want to more explicit/advanced control of the WCF channel stack that is used to communicate with the server (so you can force that only TLS transport level security is used), then you could write your own StreamUpgradeProvider.

(I "think" you would establish your own Stream that is using TLS via use of TcpClient and SSlStream...and then you would make the channel upgrade to use it...(could be wrong on that)....or it is you wrap the Stream given to you in the upgrade with the SSlStream)

• https://msdn.microsoft.com/en-us/library/vstudio/aa738692(v=vs.100).aspx
• http://blogs.msdn.com/b/drnick/archive/2006/09/27/rot-128-stream-upgrade-sample_2c00_-part-1.aspx