4

Say I have a standard .NET (4.5) web application that needs to connect to a secure server using TLS.

I want to stop supporting unused or weak protocols and cipher suites in my server and support only the ones which the client also supports (preferably TLS 1.2)

Does the version of TLS (1.0, 1.1 or 1.2) and/or cipher suites in use depend on the operation system or the .NET version?

In other words, will my .NET application use a different cipher suite or TLS version when installed on machines with different Operating systems / updates? Or does the usage of .NET 4.5 ensures that the protocols on every client-server communication will be identical?

Yoaz Menda
  • 1,555
  • 2
  • 21
  • 43
  • Possible duplicate of [Default SecurityProtocol in .NET 4.5](https://stackoverflow.com/questions/28286086/default-securityprotocol-in-net-4-5) – Sheng Jiang 蒋晟 Jul 02 '17 at 13:18
  • 2
    @LexLi not really - the question is abouth the default version used by *.NET*. It has nothing to do with TLS handshake. The ability to use the OS's default was added in .NET 4.7. Before that one had to explicitly specify eg TLS12 with `ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12` – Panagiotis Kanavos Jul 05 '17 at 11:36

2 Answers2

8

Starting with .NET 4.7, .NET uses the operating system's default.

The TLS stack, which is used by System.Net.Security.SslStream and up-stack components such as HTTP, FTP, and SMTP, allows developers to use the default TLS protocols supported by the operating system. Developers need no longer hard-code a TLS version.

Before 4.7, you had to specify the TLS version to use explicitly with

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12

For .NET 4.7, ServicePointManager.SecurityProtocol (if not explicitly set) now returns SystemDefault.

BTW the earliest supported .NET version is 4.5.2. Most systems will have a newer version though, installed by other applications or Windows Update. Every version since 4.0 is a binary replacement of the previous.

evilSnobu
  • 24,582
  • 8
  • 41
  • 71
Panagiotis Kanavos
  • 120,703
  • 13
  • 188
  • 236
  • For WCF using .NET Framework 4.6 - 4.6.2 using TCP transport security with Certificate Credentials - The WCF framework automatically chooses the highest protocol available up to TLS 1.2 unless you explicitly configure a protocol version. https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls – hB0 Sep 06 '19 at 13:05
7

This is a much better answer than what i could write on the .NET question: https://stackoverflow.com/a/28333370/4148708

In essence:

.NET 4.0 supports up to TLS 1.0 while .NET 4.5 supports up to TLS 1.2

In practice i've seen both .NET 4.5 and .NET 4.6 default to TLS 1.0 if you're not imperative about it:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12

Can't comment on .NET 4.7 but i would assume it still handshakes TLS 1.0 by default so the whole Internet doesn't suddenly break. .NET 4.7 uses whatever the OS default is through the SystemDefaultTlsVersions registry key (thanks Panagiotis Kanavos) — more findings in this repo.

What that really means is for .NET 4.7, ServicePointManager.SecurityProtocol now returns SystemDefault.

On the OS question, yes, .NET calls into SCHANNEL, which is Microsoft's Security Support Provider (think the "OpenSSL" of the Windows world). As long as you're running on Windows Server 2008 R2+, you are good for TLS 1.2.

Extract from this comprehensive blog post (blogs.msdn.microsoft.com):

SCHANNEL TLS version support by OS

Some further research (my own) available here —

https://github.com/snobu/tls-negotiations

evilSnobu
  • 24,582
  • 8
  • 41
  • 71
  • 1
    .NET 4.7 uses the OS default. Previous versions defaulted to TLS1.0 and required the explicit call to `ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12` to use TLS12 – Panagiotis Kanavos Jul 05 '17 at 11:37