Reputation: 121
Forcing .NET application to use TLS 1.2 or later
I wonder how to force a .NET application targeting .NET Framework 4.8 to use TLS 1.2 or later (including future TLS versions).
The application execute as a Windows service. For >98% of the users, it is correctly using TLS 1.2 but in a couple of cases it tries to use older versions like TLS 1.0 or even SSL 3.0. The users who have had issues with it using older TLS versions has been able to resolve it by making registry changes, but telling users to reconfigure settings in Windows registry is a bit risky.
I have followed Microsofts recommendation to not hardcoded the application to use a specific TLS version and instead just rely on the OS default (https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls).
So what I wonder is: Is there some way in a .NET application to:
- Use the Windows default TLS version if it's TLS 1.2 or later.
- If the Windows default TLS version is SSL 3.0, TLS 1.0 or TLS 1.1 then use TLS 1.2 or later (including TLS 1.3)
I know I can hardcode the TLS version using ServicePointManager.SecurityProtocol, but this goes against Microsofts recommendation and if I hardcode it to TLS 1.2 and 1.3, then whenever TLS 1.4 is used and the customers OS is patched to support it, my application will still use TLS 1.3 which I don't want.
Upvotes: 2
Views: 20501
Answers (2)
Reputation: 139
System.Net.ServicePointManager.SecurityProtocol = System.Net.SystemDefault
Action Item : Testing
Disable TLS 1.2 on the server
Disable TLS 1.2 also mean server app should work with TLS 1.3 since our app and server supported by OS 2022 and .net framework 4.8 respectively.
I have tried with following scenarios.
Scenario 1 : Registry change
-
"HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\\" -Name "Enabled" -Value "0" -Type DWord 2."HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS1.2\Server\" -Name "Enabled" -Value "0" -Type DWord
Result : While doing so, server and app not responding in many ways (you can't remote server , Payer, Member URL doesn't respond etc..)
Scenario 2 : Workaround Introduced new property "DisableByDefault" with value 1 in following path
`"HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\\" -Name "DisableByDefault" -Value "1" -Type DWord`
HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\\" -Name "DisableByDefault" -Value "1" -Type DWord
Restart server.
Configure Firefox with below values. TLS 1.3 = {min 4 , max 4 , fallback 4} Result : app started working TLS 1.2 = {min 3 , max 3 , fallback 3} Result : app stopped working
That way we can conclude TLS 1.2 is disabled and TLS 1.3 is enabled.
Above are the scenarios and steps I have followed on disabling TLS 1.2 and enabling TLS 1.3.
Upvotes: 0
Reputation: 359
What about adding TLS declaration before calling the action
public static void UploadFile()
{
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;
}
Upvotes: 1
Related Questions
- Update .NET web service to use TLS 1.2
- Does TLS 1.2 support depend only on the version of the .NET framework?
- Any way to restrict ASP.NET Core 2.0 HTTPS to TLS 1.2?
- .NET Framework 3.5 and TLS 1.2
- Enabling TLS 1.2 without changing code in .NET
- How to use TLS 1.2 in ASP.NET Core 2.0
- Enable TLS 1.2 on .NET 4.5.1
- Can I use TLS 1.2 or 1.1 (if 1.2 is not available) in .net when calling a web servivce?
- Do I need to force the use of TLS 1.2 in my ASP .NET 4.6 application?
- Force by config to use tls 1.0 in a wcf client c#