7

I am trying to check from asp.net perspective what security protocol the client is using when trying to interact with my application. I have different applications hosted asp.net web application, asmx webservices, asp.net mvc, wcf services. Please suggest me how to know if the request is through ssl/ tls protocol.

My intention is to tell my application users to use tls and not to use ssl3 because of poodle vulnerability.

Nagendra
  • 317
  • 2
  • 7
  • Have you checked http://stackoverflow.com/questions/26389899/how-do-i-disable-ssl-fallback-and-use-only-tls-for-outbound-connections-in-net ? – haim770 Jan 21 '15 at 10:59
  • Yes, I checked this. I want to educate my users not to use it. For this I want to know which protocol is my user requested – Nagendra Jan 21 '15 at 11:11
  • I doubt you have way to extract transport level protocol name as asp.net apis directly deals with higher level protocols like http,https etc. – Pankaj Kapare Jan 21 '15 at 11:16
  • Is there anyway that I can interrupt at IIS level to find it? – Nagendra Jan 21 '15 at 11:21
  • check http://stackoverflow.com/questions/21640/net-get-protocol-host-and-port – Amit Jan 21 '15 at 11:28
  • Amit, I wanted to check security protocol ssl/tls... – Nagendra Jan 21 '15 at 11:54
  • I mean authentication protocol for establishing connection between server and client. – Nagendra Feb 02 '15 at 14:28
  • You can't interrupt IIS, but you can certainly disable SSLv3 on IIS itself. Like in one of the top search result for "iis disable sslv3", https://www.digicert.com/ssl-support/iis-disabling-ssl-v3.htm – Akash Kava Apr 22 '17 at 11:54

1 Answers1

0

Basically protocal i.e. SSL3 or TSL Doesn't depend on application but mainly depends on the Framework they built on . So in your Question i couldn't find the much information about the Framework on which your applications built on.

My intention is to tell my application users to use tls and not to use ssl3 because of poodle vulnerability.

Your users might be using your Webservices or the asmx service that was written and deployed in your server , so i would say that can't ask the user to change their protocal because its mainly dependent on the framework they are using i.e the framework they built on. so in order to achieve your goal try to by default make your applications run on .Net Framework 4.5 and assign to use the tls as follows

ServicePointManager.SecurityProtocol = (SecurityProtocolType)192

Please find that Following SecurityProtocalType Refernce

   Ssl3 = 48,
   Tls = 192,
   Tls11 = 768,
   Tls12 = 3072,

In this way instead of telling your Users , you are actually making to use the tls when they are requesting your services

Community
  • 1
  • 1
Krsna Kishore
  • 8,233
  • 4
  • 32
  • 48