35

I currently have a web application that uses the .NET 3.5 framework and I am wondering if it will be compatible with TLS 1.2. No where in our code are we dictating TLS version. This is a legacy application and recompiling is not on the table right now. I am not finding much info on whether you can or cannot, but I was under the impression that compatibility is more dependent on the OS version. It looks like the minimum is 2008 R2. The goal is to get paypal to communicate properly come July 1st.

Chris Lombardi
  • 861
  • 2
  • 14
  • 31

5 Answers5

58

As was mentioned .net 3.5.1 DOES now support TLS 1.2; but you don't need the registry changes mentioned by @Paulina's answer.

I'm using VS 2008 with .net 3.5.30729.4926. All I had to do was:

Add imports:

Imports System.Security.Authentication
Imports System.Net

Add this to my code (C#):

public const SslProtocols _Tls12 = (SslProtocols)0x00000C00;
public const SecurityProtocolType Tls12 = (SecurityProtocolType)_Tls12;
ServicePointManager.SecurityProtocol = Tls12

VB.net version:

Const _Tls12 As SslProtocols = DirectCast(&HC00, SslProtocols)
Const Tls12 As SecurityProtocolType = DirectCast(_Tls12, SecurityProtocolType)
ServicePointManager.SecurityProtocol = Tls12

Culled from: https://support.microsoft.com/en-us/help/3154518/support-for-tls-system-default-versions-included-in-the-.net-framework Note: by defining the const in my code I could ignore everything else in the article including the registry edits and cs files.

D_Bester
  • 5,723
  • 5
  • 35
  • 77
  • 2
    Very good workaround suggestion instead of installing MS update and making changes to registry. it saved me tons of my time. – kumar chandraketu Sep 01 '17 at 17:44
  • So you're aware, there is also a [Server 2012 R2 specific](https://support.microsoft.com/en-gb/help/3154520/support-for-tls-system-default-versions-included-in-the-net-framework) article/download available – freefaller Jul 30 '18 at 16:01
  • 1
    ah thanks! I'm using Dynamics AX 2009. I was trying to reference a DLL that calls UPS Address Verification. My original code worked on the server, but not the client. Your answer fixed this for me. – manderson Aug 13 '18 at 17:20
20

As you can see from the docs, TLS 1.2 is not in the enumeration for SslProtocols, it was added to the enum in .NET 4.5 (thanks @orhun).

There is no workaround for TLS 1.2 compatibility on .NET 3.5.

Unfortunately you will have to upgrade to .NET 4.5 or later to get TLS 1.2 compatibility.

EDIT 10/11/17

My above answer is no longer accurate. In May of 2017, Microsoft released a package to allow TLS 1.2 in .NET 3.5.1.

maccettura
  • 10,514
  • 3
  • 28
  • 35
  • .Net Framework 4.5 and later versions supports TLSv1.2. :) – orhun.begendi Apr 05 '17 at 20:07
  • Technically you can even use TLS1.2 in a 4.0 app as long as you have 4.5 installed on the machine (edge case I know, but still possible) – maccettura Apr 05 '17 at 20:09
  • So a .NET 3.5 application won't work even if framework 4.6 is installed? – Chris Lombardi Apr 05 '17 at 20:11
  • No, and I wouldn't even recommend trying the 4.0 edge case I mentioned above. – maccettura Apr 05 '17 at 20:12
  • 1
    yeah, you are right. I experienced problem with tls 1.2, it stays in my mind about .net 4.5 :) – orhun.begendi Apr 05 '17 at 20:12
  • 2
    Nothing like inheriting code that hasn't been updated or maintained in years. Thanks to you both. – Chris Lombardi Apr 05 '17 at 20:18
  • 1
    Downwote because @Paulina provided an answer. There is an update to .NET 3.5.1 and classes: `SecurityProtocolTypeExtensions`, `SslProtocolsExtensions` that includes TLS1.2 – Janis Veinbergs May 31 '17 at 08:19
  • 2
    @JanisVeinbergs The answer was given in Apr of 2017, and the patch was released in May 2017. Seems you have some pretty lofty standards – Kevin Dahl Jan 29 '18 at 18:01
  • 2
    @KevinDahl The thing is, people come to this site and may look at top answer to find out the truth. That's why I downwoted it to try to push accurate answer UP. But as op has lately edited his answer, after my comment, I did retract my downvote as people reading this answer can now find the accurrate information. – Janis Veinbergs Feb 05 '18 at 12:19
  • So you're aware, there is also a [Server 2012 R2 specific](https://support.microsoft.com/en-gb/help/3154520/support-for-tls-system-default-versions-included-in-the-net-framework) article/download available – freefaller Jul 30 '18 at 15:51
13

You can make TLS 1.2 work with Framework 3.5.

Microsoft have released update for it.

Follow this steps

  1. Install Support update for TLS in Framework 3.5 from here:

https://support.microsoft.com/en-us/help/3154518/support-for-tls-system-default-versions-included-in-the-.net-framework-3.5.1-on-windows-7-sp1-and-server-2008-r2-sp1

  1. Go to registry
    • Type regedit in start
    • Right click and run as administrator
    • Navigate to registry keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]

  • Right click on the registry key and click Export

  • Name the file and save it with .reg extension (keep them as your backup in case you need to restore them)

    1. Add entry to registry keys
  • Make copy of the saved files and rename them
  • Open with text editor and add following text to each key (this is for 64-bit operating system) and save changes (for 32-bit operating system look at the info in the link)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001

  • Double click on the file and click Yes on the window to allow changes

    1. Add code to your project as specified in the link - Developer Guidance section

I applied this solution and it worked for me.

Keith
  • 20,636
  • 11
  • 84
  • 125
Paulina
  • 139
  • 4
  • Your answer of editing the registry makes TLS 1.2 the System Default. Of course this is a good thing and should be done by system administrators. – D_Bester Jan 25 '18 at 16:13
  • 3
    But this question is about developing a web application. Editing the registry is completely unnecessary . You should directly specify TLS 1.2 in your code instead of relying on the System Default in the registry. – D_Bester Jan 25 '18 at 16:13
  • So you're aware, there is also a [Server 2012 R2 specific](https://support.microsoft.com/en-gb/help/3154520/support-for-tls-system-default-versions-included-in-the-net-framework) article/download available – freefaller Jul 30 '18 at 15:52
5

I have just verified that this is all you need in your code to enable support for TLS 1.2 in .NET Framework 3.5:

ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;

I verified by creating a unit test in .NET Framework 3.5 that fetches this HTML page: https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html

Without the above line, the TLS test page says that I'm using TLS 1.0, which is .NET 3.5's default.

TLS 1.1 is deprecated along with 1.0, but if you want to enable it as well, you can use this line instead (not recommended):

ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072 | (SecurityProtocolType)768;

The "magic" values 3072 and 768 are taken from .NET Framework 4.5's version of the SecurityProtocolType enum:

  • 192: Specifies the TLS 1.0 security protocol
  • 768: Specifies the TLS 1.1 security protocol
  • 3072: Specifies the TLS 1.2 security protocol

I'm not sure whether the server running this code has to have .NET Framework 4.5 runtime installed or not, but it could be so.

Christian Davén
  • 16,713
  • 12
  • 64
  • 77
0

I am having the same problem as the OP - old .net 3.5 code having to connect to an external service using tls 1.2.

As mentioned in the accepted answer there is a patch for tls1.2 released by MS.

After this they have released a patch for Server 2008 (not R2): https://cloudblogs.microsoft.com/microsoftsecure/2017/07/20/tls-1-2-support-added-to-windows-server-2008/

So it should be possible to upgrade to tls 1.2 while still running server 2008.

Kenneth
  • 1