76

Since I just discovered that RFC 5425 requires TLS 1.2 to be used, and that .NET doesn't yet support it, I wonder if there are any implementation, possibly open source, of TLS 1.2 protocol, as defined in RFC 5246.

A-Sharabiani
  • 13,270
  • 12
  • 87
  • 109
usr-local-ΕΨΗΕΛΩΝ
  • 23,317
  • 27
  • 132
  • 255
  • For .net 3.5 need to add flag to force it to use TLS 1.2 https://stackoverflow.com/a/44893192/2559297 – D_Bester Jul 03 '17 at 20:13
  • Possible duplicate of [SSL and Outdated TLS(1.0 and 1.1) for Web Service client application on .Net 3.5](https://stackoverflow.com/questions/31317307/ssl-and-outdated-tls1-0-and-1-1-for-web-service-client-application-on-net-3-5). Voting to close this, older question because it's slightly less up to date. – Brian Jul 24 '17 at 12:42

10 Answers10

79

Yes, though you have to turn on TLS 1.2 manually at System.Net.ServicePointManager.SecurityProtocol

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls; // comparable to modern browsers
var response = WebRequest.Create("https://www.howsmyssl.com/").GetResponse();
var body = new StreamReader(response.GetResponseStream()).ReadToEnd();

Your client is using TLS 1.2, the most modern version of the encryption protocol

Out the box, WebRequest will use TLS 1.0 or SSL 3.

Your client is using TLS 1.0, which is very old, possibly susceptible to the BEAST attack, and doesn't have the best cipher suites available on it. Additions like AES-GCM, and SHA256 to replace MD5-SHA-1 are unavailable to a TLS 1.0 client as well as many more modern cipher suites.

Community
  • 1
  • 1
Colonel Panic
  • 119,181
  • 74
  • 363
  • 435
  • 10
    Is it possible to specify the SecurityProtocol via a setting in the app.exe.config? – Jeffrey LeCours Oct 01 '15 at 16:19
  • Doesn't this also depend on the OS/Server that the application is running on, since that's where the actual HTTP traffic will be created/received? – Don Cheadle Mar 08 '16 at 22:46
  • Thanks. Works like a charm. FYI this works on Windows 2012 server. I was told that Windows 2008 does not support TLS1.2. – LT Dan Jun 15 '16 at 22:17
  • You should be able to use TLS1.2 on 2008Svr. May need to install dotNet 4.5 framework. See: https://msdn.microsoft.com/en-us/library/8z6watww(v=vs.110).aspx – Toby Mar 07 '17 at 20:16
43

Just found that .Net Framework 4.5 now supports TLSv1.2
http://msdn.microsoft.com/en-us/library/system.security.authentication.sslprotocols(v=vs.110).aspx

fanyangxi
  • 562
  • 7
  • 6
  • 1
    Actually when you use the values of the SSLProtocol constants and cast it to the enum things work in .NET 4.0 as well – Sebastian Feb 21 '17 at 09:35
28

You can make use of the SchUseStrongCrypto registry setting to require all .NET applications to use TLS 1.2 instead of 1.0 by default.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
Jeffrey LeCours
  • 1,213
  • 13
  • 21
  • 8
    Microsoft should really update this value in one of their security updates. I can not believe the default is to enable SSL v3 and disable TLS 1.2, and the fix is a simple registry setting. – dana Nov 30 '15 at 23:37
  • .Net framework 4.0 doesn't supports TLS 1.1+, but framework 4.5 does: fwk 4.0: https://msdn.microsoft.com/en-us/library/system.security.authentication.sslprotocols(v=vs.100).aspx fwk 4.5: https://msdn.microsoft.com/en-us/library/system.security.authentication.sslprotocols(v=vs.110).aspx – Negarrak Jun 29 '16 at 00:18
  • 2
    There's now (Sept 2016) a bunch of different framework versions in the registry (4.0.30319, 4.5, 4.5.1, 4.5.23026, 4.5.50709). Which one needs updating - or all of them? – GlennG Sep 19 '16 at 15:21
  • 1
    The answer to this is below - you just need to set the 4.0.30319 one. – Jason Steele May 09 '17 at 13:17
  • 1
    It will work on Windows 2008 SP2 with Microsoft Update [KB4019276](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4019276). More info here: https://github.com/TheLevelUp/pos-tls-patcher – user24601 Mar 19 '18 at 01:14
12

I fixed my problem by switching to the latest .Net Framework. So your target Framework sets your Security Protocol.

when you have this in Web.config 

<system.web>
  <httpRuntime targetFramework="4.5"/>
</system.web>

you will get this by default: 

ServicePointManager.SecurityProtocol = Ssl3 | Tls

when you have this in Web.config

<system.web>
  <httpRuntime targetFramework="4.6.1"/>
</system.web>

you will get this by default: 

ServicePointManager.SecurityProtocol = Tls12 | Tls11 | Tls
Eric
  • 600
  • 7
  • 14
9

Just download this registry key and run it. It will add the necessary key to the .NET framework registry. You can have more info at this link. Search for 'Option 2' in '.NET 4.5 to 4.5.2'.

The reg file appends the following to the Registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

This is the part of the page that is useful in case it goes broken :

" .. enable TLS 1.2 by default without modifying the source code by setting the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v4.0.30319". Although the version number in those registry keys is 4.0.30319, the .NET 4.5, 4.5.1, and 4.5.2 frameworks also use these values. Those registry keys, however, will enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. It is thus advisable to test this change before deploying it to your production servers. This is also available as a registry import file. These registry values, however, will not affect .NET applications that set the System.Net.ServicePointManager.SecurityProtocol value. "

T.S.
  • 14,772
  • 10
  • 47
  • 66
Samidjo
  • 2,116
  • 29
  • 36
  • 6
    Hi, I have edited your answer to include the contents of the registry file. Reg files are normally considered "security sensitive", and experienced sysadmins people won't bindly open the first reg file linked by someone else (with all the respect!). I think it will also be a **great** idea to quote part of the linked article, as per SO policy (no link-only answers - better say "no answers that 100% depend on links") – usr-local-ΕΨΗΕΛΩΝ Jun 27 '16 at 12:48
8

If you are dealing with older versions of .NET Framework, then support for TLS 1.2 is available in our SecureBlackbox product in both client and server components. SecureBlackbox contains its own implementation of all algorithms, so it doesn't matter which version of .NET-based framework you use (including .NET CF) - you'll have TLS 1.2 with the latest additions in all cases.

Please note that SecureBlackbox wont magically add TLS 1.2 to framework classes - instead you need to use SecureBlackbox classes and components explicitly.

Eugene Mayevski 'Callback
  • 43,492
  • 7
  • 62
  • 119
  • Since you said "our" :)... What about using this commercial component in an open source project? Thank you – usr-local-ΕΨΗΕΛΩΝ Nov 09 '10 at 20:39
  • 1
    Open source project doesn't necessarily mean that you need to open all code. – Eugene Mayevski 'Callback Nov 10 '10 at 08:56
  • 1
    I am correct in thinking that this will satisfy the SSL requirements of PCI DSS 3.1? This would be very useful as there are a lot XP-Derived operating systems out there which are still under Microsoft Support but cannot run .Net Framework 4.5. – user1069816 Sep 16 '15 at 11:07
  • 1
    @user1069816 I am not ready to officially confirm the conformance until we carefully analyze the requirements of PCI DSS 3.1. But in general SecureBlackbox fully implements TLS 1.2 and takes care about recent security-related findings and incapsulates the corresponding workarounds. – Eugene Mayevski 'Callback Sep 16 '15 at 14:50
  • Thanks, as far as I understand, fully implementing TLS 1.2 would be enough to conform with PCI DSS 3.1. – user1069816 Sep 17 '15 at 11:55
  • 1
    @user1069816 We have reviewed the PCI DSS 3.1. PCI-DSS 3.1 requires all compliant environments to get rid of support for SSL (2.0 and 3.0) and TLS 1.0 versions of the protocol until 30 June 2016 at the latest. This is easily achievable with SBB, which provides full support for TLS 1.1 and 1.2 and all modern cipher suites. – Eugene Mayevski 'Callback Sep 17 '15 at 17:01
  • 1
    @user1069816 As SecureBlackbox uses its own cryptographic and SSL/TLS engines, it is not dependent on specifics of the relevant functionality offered by the operating system or .NET framework. I.e. you can ensure your old XP machines stay PCI-DSS-compliant by migrating your WinAPI- or .NET 2.0-based software product to SecureBlackbox. – Eugene Mayevski 'Callback Sep 17 '15 at 17:01
4

The latest version of SSPI (bundled with Windows 7) has an implementation of TLS 1.2, which can be found in schannel.dll

Josh Stodola
  • 77,975
  • 43
  • 178
  • 222
  • Any guidance on how to use this in .NET? – foson Nov 18 '10 at 20:48
  • @foson It won't be pretty because SChannel is COM. There is a C++ example [here](http://www.coastrd.com/c-schannel-smtp) and some very useful notes [here](http://www.coastrd.com/tls-with-schannel) – Josh Stodola Nov 18 '10 at 21:37
3

.NET Framework 4.6 uses TLS 1.2 by default.

Moreover, only host application should be in .NET 4.6, referenced libraries may remain in older versions.

Anton Palyok
  • 967
  • 1
  • 12
  • 25
3

You can enable TLS 1.2 in IIS by following these instructions. I presume this would be sufficient if you have an ASP.NET-based application that runs on top of IIS, although it looks like it does not really meet your needs.

Justin Ethier
  • 122,367
  • 49
  • 219
  • 273
  • Sorry, this doesn't apply to me. I'm writing an application for running the Syslog protocol, which is very far from ASP.NET and uses regular sockets programming. Unfortunately I need a class equivalent to SslStream to provide me TLS 1.2 services :( – usr-local-ΕΨΗΕΛΩΝ Nov 09 '10 at 19:48
  • 1
    This link 403s now, but the new URL appears to be https://www.derekseaman.com/2010/06/enable-tls-12-aes-256-and-sha-256-in.html – Martin Costello Feb 28 '18 at 14:07
-1

as mentioned here you can just add this line

ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;
bresleveloper
  • 5,430
  • 3
  • 31
  • 45