3

I got TLS 1.0 disabled. So we are trying to use TLS 1.2 in our .Net application which is using .Net Framework 4.0.

I have added the code for this at the start

System.Net.ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;

It works perfectly on my local system.

But i am not sure why its not working when I deploy the code on server (Windows Server 2008 R2). I checked everything. .Net framework is present on server. But still its giving the same issue on server only.

Is there anything I'm missing here?

VMAtm
  • 27,943
  • 17
  • 79
  • 125
omkar patade
  • 1,442
  • 9
  • 34
  • 66
  • Possible duplicate of [Default SecurityProtocol in .NET 4.5](http://stackoverflow.com/questions/28286086/default-securityprotocol-in-net-4-5) – VMAtm Mar 20 '17 at 03:52

2 Answers2

5

According to this post:

.NET 4.0 supports up to TLS 1.0 while .NET 4.5 supports up to TLS 1.2

However, an application targeting .NET 4.0 can still support up to TLS 1.2 if .NET 4.5 is installed in the same environment. .NET 4.5 installs on top of .NET 4.0, replacing System.dll.

So basically you need to upgrade your server to .Net 4.5 to enable TLS 1.2.

Also, you can simplify your code and make it more readable:

using System.Net;

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

Related MSDN articles:

Community
  • 1
  • 1
VMAtm
  • 27,943
  • 17
  • 79
  • 125
  • 1
    Does this mean, if I have a WinForms application and need TLS 1.2 support for SOAP requests, that I will have to change it to .NET 4.5 and ensure all users have that framework installed? – NickG Mar 21 '17 at 18:22
  • Yes, in other way it will not work. If you can do this: `ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls`, this may do a trick, but still probably will crash as you say you got `TLS 1.0` get disabled. – VMAtm Mar 21 '17 at 18:25
  • 1
    SecurityProtocolType.Tls12 doesn't even exist in .NET 4.0 but I can use the int. However it seems there's no way round the fact that users will need .NET 4.5 installed. – NickG Mar 21 '17 at 18:32
  • Yeah, as been said in referenced answer, you'll get the `NotSupportedException` for `Tls12` value setting for `SecurityProtocol` – VMAtm Mar 21 '17 at 18:34
  • 1
    If you want TLS 1.2 without code changes, you really want .NET 4.6 or higher. True that TLS 1.2 is supported in .NET 4.5, but not enabled as a communication protocol by default until .NET 4.6. More info here:https://github.com/TheLevelUp/pos-tls-patcher – user24601 Mar 08 '18 at 03:13
  • 1
    It's really not a good idea to hardcode the security protocol in application code. Read [TLS best practices with .NET](https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls) for more info. – user24601 Mar 16 '18 at 01:52
  • Of course one should move the protocol to config file, it's an example. Not everything should be in system settings – VMAtm Mar 16 '18 at 02:49
2

If you want to use TLS 1.2 in existing .NET 4.x code without application code changes, you'll need the following:

  1. Install .NET framework 4.6 or higher. This is needed to use TLS 1.2 as a protocol by default in combination with proper Windows registry keys.

  2. Set the following .NET Framework strong cryptography registry keys:

On 32-bit and 64-bit versions of Windows: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001

On 64-bit versions of Windows: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001

The WOW6432Node value is used by 32-bit applications when run on a 64-bit system.

For more information see: https://github.com/TheLevelUp/pos-tls-patcher

Update: It's really not a good idea to hardcode the security protocol in application code. You want the OS doing this for you. See Transport Layer Security (TLS) best practices with the .NET Framework for further reading.

user24601
  • 1,662
  • 1
  • 12
  • 11
  • @VijayKumbhoje yes, if you want IIS to use TLS 1.2. However, you probably want to look at upgrading to Windows 10 and latest version of IIS and .NET Framework. – user24601 Jul 10 '20 at 16:21
  • I believe these registry settings are still required then. At least until Microsoft changes them to the be the default behavior which I imagine will eventually happen. – user24601 Jul 10 '20 at 16:27
  • @VijayKumbhoje, this may also help you: https://www.nartac.com/Products/IISCrypto – user24601 Jul 10 '20 at 16:32