16

I develop a C# program in Visual Studio 2013 which communicates with a SOAP webservice. How can I tell which version of TLS my program uses?

cja
  • 9,512
  • 21
  • 75
  • 129
  • Wouldn't that be determined by the web server? Why do you need to know? –  Oct 23 '17 at 12:06
  • To make sure that my program is compatible with the server. – cja Oct 23 '17 at 12:09
  • 2
    Check `ServicePointManager.SecurityProtocol` value for the supported protocols. – Evk Oct 23 '17 at 12:12
  • See RFC 5246 para 1.2 : https://www.ietf.org/rfc/rfc5246.txt – jdweng Oct 23 '17 at 12:12
  • 1
    Just enable everything on [ServicePointManager.SecurityProtocol](https://stackoverflow.com/a/32789483/578411) and you're good to go, right? – rene Oct 23 '17 at 12:12
  • @rene no, then you're open for quite a few weak security issues. You want to use the highest shared security protocol, preferably TLS 1.2. – jessehouwing Oct 23 '17 at 12:17
  • @cja What's your *runtime* version? TLS 1.2 was added in 4.5, and became the default in 4.6. 4.0 doesn't have TLS 1.2. 4.5 needs manual configuration – Panagiotis Kanavos Oct 23 '17 at 12:26
  • 1
    @MickyD the server will *refuse* the connection if the runtime doesn't support 1.2. – Panagiotis Kanavos Oct 23 '17 at 12:26
  • @jessehouwing if the server doesn't support TLS1.2 then they are out of luck. I agree though they should strive to the best protocol and advice their service provider if they don't support anything decent. Client and server will handshake on the best protocol, right? – rene Oct 23 '17 at 12:26
  • 1
    @rene a couple of years ago several *large* service providers (think airlines) dropped even TLS1.1. A lot of companies had to scramble to upgrade to .NET 4.5.2 – Panagiotis Kanavos Oct 23 '17 at 12:28
  • @PanagiotisKanavos Okay, fair enough. – rene Oct 23 '17 at 12:35
  • @PanagiotisKanavos ah. Thanks! –  Oct 23 '17 at 12:44
  • @MickyD that's why companies that dragged their feet with 4.5 (could have bugs!) scrambled to upgrade in 1 month two years ago, when airlines said `TLS1.2 or (you go) bust` – Panagiotis Kanavos Oct 23 '17 at 12:46

3 Answers3

25

I got the answer by directing my program to make requests to https://www.howsmyssl.com/a/check.

cja
  • 9,512
  • 21
  • 75
  • 129
  • 3
    I like to test the behaviour of my program, not just to rely on the documentation. – cja Oct 23 '17 at 12:51
  • 4
    I don't understand the disdain for this answer. It uses empirical testing and it can be generalized to other server types. – Jamie Ciocco Mar 13 '18 at 19:04
17

TLS 1.2 was added in .NET 4.5. The earliest supported .NET version is 4.5.2, so you won't have any issues if you use a supported version.

.NET 4.6 uses TLS 1.2 by default. Earlier versions need this line to enable it :

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | 
                                       SecurityProtocolType.Tls11;

TLS 1.0 is being phased out and SSL v3 is considered broken so they shouldn't be added.

Panagiotis Kanavos
  • 120,703
  • 13
  • 188
  • 236
  • Can you link to a source confirming that .NET 4.6 uses TLS 1.2 by default? I can't find anything official and can see other commentors contradicting this e.g: https://stackoverflow.com/a/47913910/5344430 – alksdjg Jun 11 '20 at 03:48
  • Don't use 4.6 to begin with, don't try to hard-code the versions. Simply googling for `.NET TLS 1.2` returns [Transport Layer Security (TLS) best practices with the .NET Framework](https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls) as the first result. Use .NET 4.7 on a supported OS and let your application use the best available TLS version. Even 4.6.2 was a bit of a mess both on TLS **and** assembly redirects. – Panagiotis Kanavos Jun 11 '20 at 06:48
  • I'm not going to use 4.6. I literally just want to know where you got the information "4.6 uses TLS 1.2 by default" because I couldn't find it anywhere. How did you confirm / prove that? – alksdjg Jun 12 '20 at 03:43
  • I posted the link already. 3 years ago I was answering the question `How can I tell which version of TLS my program uses?` and the answer isn't VS 2013. To get TLS 1.2 *without* code modifications you need 4.6 at least. By that point I had answered that question *dozens* of times for years and didn't bother posting another full explanation. By that point (like many common questions in SO) just finding a good duplicate would take more time than writing a quick answer – Panagiotis Kanavos Jun 12 '20 at 08:32
  • @alksdjg and, the *real* question after all was posted as a comment to Oria's answer `As my production web service calls were communicating with a 3rd party service, I needed an extra proof of which protocol was being used before and after I made the .net version change.` – Panagiotis Kanavos Jun 12 '20 at 08:35
5

Another good way to check is to install WireShark (https://www.wireshark.org/download.html)

and to use it while running your application. within the TLS Packets you will be able to see versions and such:

Example for Wireshark View Of TLS traffic...

Ori a
  • 314
  • 1
  • 8
  • There's no reason to. There's no ambiguity. 4.6 -> TLS1.2 by default 4.5 -> TLS11 and config change for 1.2. 4 and below, no TLS 1.2 – Panagiotis Kanavos Oct 23 '17 at 12:24
  • 4 and below support TLS 1.2 with a hotfix. – jessehouwing Oct 23 '17 at 12:28
  • 3.5: https://support.microsoft.com/en-us/help/3154520/support-for-tls-system-default-versions-included-in-the--net-framework – jessehouwing Oct 23 '17 at 12:28
  • 4.0: https://blogs.msdn.microsoft.com/saurabs/2017/06/01/wcfwstls-get-net-framework-4-0-application-use-tls-1-2-as-default-protocol/ – jessehouwing Oct 23 '17 at 12:31
  • @jessehouwing no, that's for the OS. Not .NET. Besides, these .NET versions *are* unsupported at this point. The only reason this hotfix was provided was because the runtime was bundled with the OS. These versions aren't supported on other OSs – Panagiotis Kanavos Oct 23 '17 at 12:31
  • 1
    @jessehouwing even worse, these hotfixes depend on some well-known hacks to work in code, like assigning the enum's value to `SecurityProtocol` even though it isn't defined. That was used as a stopgap 2 years ago, when the providers started demanding TLS1.2 – Panagiotis Kanavos Oct 23 '17 at 12:32
  • Thanks @Ori a! As my production web service calls were communicating with a 3rd party service, I needed an extra **proof** of which protocol was being used before and after I made the .net version change. Wireshark made it quite apparent and was easy to use. – mmcfly Jan 08 '19 at 22:07
  • sure , no problem :-) – Ori a Jan 10 '19 at 08:22