12

I have a simple question but can't find an answer anywhere. I have a WCF-Server-Application. I want it to use ONLY TLS1.2.

I have no control over the client and am not able to edit the SCHANNEL settings on the machine.

I did already try the following which seems to work only for outgoing connections (clientside)

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12

Is there any way to restrict anything but TLS 1.2 serverside per code?

EDIT: I am using a net.tcp binding and create bindings like that: 

private static Binding CreateNetTcpBinding()
    {
        return new NetTcpBinding
        {
            ReceiveTimeout = TimeSpan.FromMinutes(10),

            ReliableSession =
            {
                Enabled = true,
                InactivityTimeout = TimeSpan.FromMinutes(1)
            },
            Security =
            {
                Mode = SecurityMode.Transport,
                Transport =
                {
                    ClientCredentialType = TcpClientCredentialType.Windows,
                    ProtectionLevel = ProtectionLevel.EncryptAndSign,
                    SslProtocols = SslProtocols.Tls12
                },
                Message =
                {
                    AlgorithmSuite = SecurityAlgorithmSuite.xxx <-- not here on purpose,
                    ClientCredentialType = MessageCredentialType.Windows
                }
            }
        };
    }

If someone could tell me where to check the TLS-Version of the current connection (some context) that would also be enough!

Thank you in advance!

Dominik
  • 1,091
  • 6
  • 20
  • Been a while since I stumbled upon a good WCF question! – iamkrillin Mar 29 '17 at 01:24
  • Looks like your issue is addressed in [.NET Framework 4.7](https://msdn.microsoft.com/en-us/library/ms171868(v=vs.110).aspx#v47) - **Ability to configure the default message security settings to TLS 1.1 or TLS 1.2** – Ivan Stoev Apr 14 '17 at 13:58

2 Answers2

1

There are indeed a few properties in the ServicePointManager beside SecurityProtocol which are checked during the authentication step, but they are all internal. There also seem to be no visible backdoor to override the entire implementation of the SslStream or TcpTransportSecurity which are implementing the skeleton of the Transport Security for the NetTcpBinding either.

public partial class ServicePointManager {
    ...
    internal static bool DisableStrongCrypto
    internal static bool DisableSystemDefaultTlsVersions 
    internal static SslProtocols DefaultSslProtocols
    ...
}

If you have write permission for server machine registry, check out what @JohnLouros described very well one year ago in his posts on how to disable weak protocols and how to enable strong cryptography.

Here is another good answer from @MattSmith describing how authentication for the NetTcpBinding is handled by the operating system itself behind the scenes.

Community
  • 1
  • 1
Eugene Komisarenko
  • 1,522
  • 11
  • 24
  • Hmm... so it seems it's not really possible to just do something like i can do on the client with setting an enum value. To be honest I'm disappointed with the .NET framework in that point. Maybe it's also me not understanding something right. – Dominik Apr 18 '17 at 01:29
  • That's why I think having its code opened for community to contribute makes a lot of sense. You should be able to report this to the team or even pull it out and work on the required changes yourself. – Eugene Komisarenko Apr 18 '17 at 12:43
-1

Did you try to use ServicePointManager.ServerCertificateValidationCallback.This callback gives you an opportunity to validate Server Certificate by yourself.For example something like this: 

ServicePointManager.ServerCertificateValidationCallback = MyCertHandler; 
    ... 
static bool MyCertHandler(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors error) 
{
     //Your logic here for certificate validation 
}
Qwerty Qwerty
  • 486
  • 1
  • 6
  • 15