.Net Framework 4.6.1 not defaulting to TLS 1.2

Question

Our client have recently upgrade the security protocol to TLS 1.2. Therefore We have our application upgraded to 4.6.1 expecting the security protocol will be default to TLS 1.2 but it is not. Any idea why?

TLS 1.2 does work in 4.6.2 by default - using HttpClient to retrieve Google.com homepage (TLS1.2) works without issues — Panagiotis Kanavos, May 09 '17 at 15:06
We are getting this error when connecting to server "This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case." However when adding this line in the startup method of Global.asax file fixed this issue. ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12 | SecurityProtocolType.Ssl3; But we want to know why we need to set this if we have our application in .Net 4.6.1 — Harihara Iyer, May 09 '17 at 15:25
*What* error? What code? I can't reproduce anything with a console application targeting 4.6.1. If the *certificate* is wrong, you'll get an error with *any* client, including browsers. — Panagiotis Kanavos, May 09 '17 at 15:27
No repro with a console application targeting 4.6.1 on Windows 10, calling a web page that only accepts TLS1.2 with HttpClient. In fact, if I *force* TLS1.1 I get `The request was aborted: Could not create SSL/TLS secure channel.`. — Panagiotis Kanavos, May 09 '17 at 15:29
We had the exact same issue connecting to the Salesforce API, which recently started requiring TLS 1.2. Even with .NET 4.6.1, we were still getting TLS 1.0 connections (which were then rejected). Had to manually specify the ServicePointManager.SecurityProtocol just like you. I suspect an issue with the way the Salesforce API autonegotiates TLS version. — Neil Laslett, Oct 26 '17 at 14:12
See my solution here: https://stackoverflow.com/a/45442874/5785572 — Beltaine, Jun 28 '18 at 20:35

score 57 · Answer 1 · edited Apr 11 '18 at 15:55

57

I had a similar problem and this is what worked for me.

open Powershell and check for supported protocols by using [Net.ServicePointManager]::SecurityProtocol
Run the following 2 cmdlets to set .NET Framework strong cryptography registry keys:

set strong cryptography on 64 bit .Net Framework (version 4 and above)

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord

set strong cryptography on 32 bit .Net Framework (version 4 and above)

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Restart Powershell and check again for supported protocol by using [Net.ServicePointManager]::SecurityProtocol

It should now display Tls12 as well.

Hope this helps

edited Apr 11 '18 at 15:55

sonjz

4,870
3
42
60

answered Sep 12 '17 at 13:25

Kartik Gupta

571
4
4

This should most certainly work on .NET 4.x application code with .NET 4.6+ installed. – user24601 Mar 02 '18 at 05:09
2

Worked for me - Thank you! By the way, if time, please add a backslash between Microsoft and .NetFramework for others: "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord" .. Both commands are also the same. Perhaps a note could be made to this effect. Thanks again. – sean2078 Mar 17 '18 at 10:03
1

Thanks for the comments. The 64-bit should also include the Wow6432node key. Will fix. – user24601 Mar 22 '18 at 02:26
My last two edits have not been accepted, but you can see the correct registry key values in [my answer](https://stackoverflow.com/a/49063207/1368979) below. – user24601 Mar 28 '18 at 13:18
+1, fixed our issue, we had things in 4.6 and the issue was still there, probably because the default isn't in there until 4.7. some other articles on the web mentioned updating to 4.6 fixed it, not for us. thanks for the quick powershell fix. +1 +1 +1 – sonjz Apr 11 '18 at 15:39
Even though .Net 4.7 is installed on our servers, I still had to apply the changes mentioned in this answer to get it to work. – Hoodlum Jul 11 '18 at 13:40
This fixed me also. I was calling a C# dll cmdlet via powershell, and this is the only way that i could get it to work. /wasted hours – Omzig Dec 26 '18 at 15:34
Not working for me on Windows server 2008 which does have the TLS 1.2 hotfix installed. Command shell still returns `Ssl3, Tls` – xr280xr Jan 09 '19 at 14:32
Worked on Windows Server 2016, .Net 4.6.2 after restarting IIS - thanks! – JGlass Mar 28 '19 at 15:00
3

Note that for me, with .NET 4.7.2 installed, the `SecurityProtocol` returned `SystemDefault` both before and after executing the two commands. However, this did still work! – RichardM Nov 04 '19 at 20:58
I have been having the same issues and I just tried these steps but when I execute [Net.ServicePointManager]::SecurityProtocol after the two cmdlets, I still only see ssl3 and tls. TLS12 is not there – Walters Aug 11 '20 at 05:01

user24601 · Answer 2 · 2019-06-20T01:14:47.100

28

As others have mentioned there are a number of Windows Registry keys that must be set to enable TLS 1.2 in existing .NET applications without explicitly setting the protocol version in application code.

In order to make .NET 4.x code select the strongest available protocol by default (i.e. when a protocol is not explicitly specified in code), the following registry keys are needed:

On 32-bit and 64-bit versions of Windows: HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto: 0X00000001

On 64-bit versions of Windows: HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto: 0X00000001

The WOW6432Node value is needed to enable TLS 1.2 in 32-bit applications when run on 64-bit systems.

But here's the quick and easy solution: https://github.com/TheLevelUp/pos-tls-patcher

Update:

If you're targetting .NET 4.6 or 4.7 you'll be interested in Transport Layer Security (TLS) best practices with the .NET Framework.

Note that TLS Patcher linked above very much follows the Microsoft recommendation for existing .NET 4.0 and 4.5 apps that cannot target .NET 4.6 or higher.

edited Jun 20 '19 at 01:14

answered Mar 02 '18 at 05:16

user24601

1,662
1
12
11

6

I think this should be the accepted answer. We faced the same problem and observed the following: A normal .Net EXE works as expected. An assembly hosted in a native process (e.g. IIS, Office Addin) only used TLS 1.2 if the registry settings were made. – Stefan Egli Mar 08 '18 at 14:45
@StefanEgli I feel your pain. Not sure why this info is not documented better. We are trying to get the word out: http://blog.thelevelup.com/pci-security-is-your-restaurant-ready/ – user24601 Mar 08 '18 at 14:52
@StefanEgli also if you want TLS 1.2 in native code you also need Schannel registry keys set: https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#tls-12 – user24601 Mar 08 '18 at 15:08
1

The \4.0.30319 portion of the key is incorrect and should be \v4.0.30319 – Jake Jun 17 '19 at 21:39

score 25 · Answer 3 · answered Dec 20 '17 at 20:27

The reason why the security protocol did not default to TLS 1.2 is because there is no default value for this in .NET Framework 4.6.1. Sorry if this is reiterating what's already been said but I wanted to elaborate and I don't have enough reputation to comment.

There is no default value in 4.6.2 either, however like one of the commenters mentioned above, a console application does seem to default to TLS 1.2. I tried the exact same code in a website project targeting 4.6.2 and it did NOT default to TLS 1.2.

4.7 and above does have a default value of SecurityProtocolType.SystemDefault.

"This allows .NET Framework networking APIs based on SslStream (such as FTP, HTTP, and SMTP) to inherit the default security protocols from the operating system or from any custom configurations performed by a system administrator"

https://learn.microsoft.com/en-us/dotnet/api/system.net.servicepointmanager.securityprotocol?view=netframework-4.7#System_Net_ServicePointManager_SecurityProtocol

Tobias Schwarzinger · Answer 4 · 2019-02-28T12:14:10.097

10

We experienced a similar problem while hosting our .NET 4.6.2 application in IIS.

We could solve the problem by adding the httpRuntime element to the web.config. Without it our service did not default to TLS 1.2.

<httpRuntime targetFramework="4.6.2" />

For more info see https://learn.microsoft.com/en-us/dotnet/api/system.web.configuration.httpruntimesection?view=netframework-4.7.2

edited Feb 28 '19 at 12:14

answered Feb 28 '19 at 11:22

Tobias Schwarzinger

211
3
6

Nice find! This solved it for us as well since we didn't have it set. – Philmatic Jan 10 '20 at 18:21

Camille G. · Answer 5 · 2017-05-09T15:11:19.353

7

MSDN: ServicePointManager.SecurityProtocol Property

This property selects the version of the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol to use for new connections that use the Secure Hypertext Transfer Protocol (HTTPS) scheme only; existing connections are not changed. Note that no default value is listed for this property, on purpose.

The security landscape changes constantly, and default protocols and protection levels are changed over time in order to avoid known weaknesses. Defaults will vary depending on individual machine configuration, and on which software is installed, and on which patches have been applied.

Taken from here

edited May 09 '17 at 15:11

answered May 09 '17 at 14:59

Camille G.

3,058
1
25
41

The default Security Protocol for .NET 4.6.1 is not TLS 1.2 - You have to set the value of the ServicePointManager.SecurityProtocol to it to add support – Camille G. May 09 '17 at 15:02
How does this answer the question? The OP says that TLS1.2 didn't work when it should – Panagiotis Kanavos May 09 '17 at 15:02
I understand the question as "I did nothing and expected TLS 1.2 worked" – Camille G. May 09 '17 at 15:03
2

The *answer* isn't relevant. The comment maybe, if it was accompanied with a reference. In 4.6.2 TLS1.2 is enabled by default – Panagiotis Kanavos May 09 '17 at 15:05
The question is about .Net 4.6.1 – Camille G. May 09 '17 at 15:05
Yes - how do you know that 4.6.1 doesn't enable TLS1.2 by default? The answer as posted **doesn't** say that. Quite the opposite - it says that 4.6+ will default to a stronger algorithm by default. – Panagiotis Kanavos May 09 '17 at 15:07
2

@PanagiotisKanavos I updated the quoted MSDN passage – Camille G. May 09 '17 at 15:12
@PanagiotisKanavos we just spun up two new Windows Server 2016 instances, updated our code to 4.6.2 and it still wasn't using TLSv1.2, only after adding the two registry entries and restarting IIS did it start to use TLSv1.2 – JGlass Mar 28 '19 at 15:04

score 7 · Answer 6 · answered Feb 06 '20 at 00:32

Based on the following link

https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls

I've added

AppContext.SetSwitch("Switch.System.Net.DontEnableSystemDefaultTlsVersions", false);

to my code, and this fixed the issue for me. This is meant to default to the highest level the OS supports, which is the same behaviour you get by default from 4.7 and above.

Michael T. · Answer 7 · 2018-07-24T09:20:19.203

I faced the problem too. When local application tried to connect to a server that supports TLS 1.1 and TLS 1.2 it used to get "An existing connection was forcibly closed by the remote host" exception or when TLS 1.1/1.2 were not enabled properly it used to get "Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm"

Below there are all registry keys and values that are needed for x64 windows OS. If you have 32bit OS (x86) just remove the last 2 lines. TLS 1.0 will be disabled by the registry script. Restarting OS is required.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\server]
"disabledbydefault"=dword:00000001
"enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ssl 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ssl 3.0\client]
"disabledbydefault"=dword:00000001
"enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ssl 3.0\server]
"disabledbydefault"=dword:00000001
"enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\tls 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\tls 1.0\client]
"disabledbydefault"=dword:00000001
"enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\tls 1.0\server]
"disabledbydefault"=dword:00000001
"enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\tls 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\tls 1.1\client]
"disabledbydefault"=dword:00000000
"enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\tls 1.1\server]
"disabledbydefault"=dword:00000000
"enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\tls 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\tls 1.2\client]
"disabledbydefault"=dword:00000000
"enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\tls 1.2\server]
"disabledbydefault"=dword:00000000
"enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

score 1 · Answer 8 · edited Mar 07 '18 at 22:54

1

I used this in my code on the initial page. The app is web forms in VB.NET with .NET Framework 4.6.1

System.Net.ServicePointManager.SecurityProtocol =  System.Net.SecurityProtocolType.Tls12

edited Mar 07 '18 at 22:54

Mohammad Kanan

4,452
10
23
47

answered Mar 07 '18 at 21:08

Glada

21
4

2

This actually overwrites all other versions, not to mention that it does not answer the question. – kuskmen Mar 07 '18 at 23:15
2

Please do not hardcode the security protocol in application code. You want to follow the recommendations in the answers above, which are also inline with Microsoft [TLS Best Practices with .NET](https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls) – user24601 Mar 16 '18 at 02:01
Odd. I had a code base started in Framework 3.5 that shared a dll from both a website and an .exe. The dll, website, and .exe were all upgraded to Framework 4.6.2. The .exe worked fine and used TLS 1.2. The website did not. I had to explicitly designate the protocol version per this post to get the website to work. – Matthew Allen May 07 '18 at 13:00

score 1 · Answer 9 · answered Jan 30 '19 at 14:34

I did the following steps to use the latest security protocol TLS v.1.2:

Disable the old protocols SSL2.0, SSL3.0, TLS1.0, TLS1.1, enable TLS1.2 and enable strong cryptography for .NET Framework in the registry.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

score 0 · Answer 10 · answered Sep 23 '19 at 11:23

I tried the following code in my api which is not working for Kaltura account integration(bec'z Kaltura API upgraded to TLS 1.2) and it start working. .Net framework is 4.5.2 and server :windows server 2008 r2 where application hosted.

#region To handle TLS (Transport Layer Security) Version and support
            var assembly = Assembly.GetExecutingAssembly();
            var attributes = assembly.GetCustomAttributes(typeof(TargetFrameworkAttribute), false);
            var version = (TargetFrameworkAttribute)attributes[0];

            SecurityProtocolType flag;
            if (Enum.TryParse("Tls11", out flag))
                ServicePointManager.SecurityProtocol |= flag;
            if (Enum.TryParse("Tls12", out flag))
                ServicePointManager.SecurityProtocol |= flag;
#endregion

Thanks.

score 0 · Answer 11 · edited Sep 09 '20 at 07:20

Update Windows and WinHTTP
Ensure that TLS 1.2 is enabled as a protocol for SChannel at the operating system level
Update and configure the .NET Framework to support TLS 1.2

enter image description here

.Net Framework 4.6.1 not defaulting to TLS 1.2

11 Answers11

Linked