25

I'm trying to add the following line of code to the Global.asax file in a website project.

System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;

The vs2012 IntelliSense is showing that Tls12 definition exist. But the build is saying that the definition does not exist (See screen shot).

screen shot

I've tried adding System.Net.dll to the bin folder of the project, but the build still failed. Any idea how I might be able to resolve this?

kuskmen
  • 3,648
  • 4
  • 27
  • 54
HockChai Lim
  • 1,675
  • 2
  • 20
  • 30
  • 2
    If you try to "add" it please do not do it with `=` sign . .this will delete all others and leave only `Tls12`. Use `|=` instead. – kuskmen Nov 13 '17 at 17:01
  • would that make it try Tls12 first? – HockChai Lim Nov 13 '17 at 17:13
  • As far as I know, some external resource will try to establish connection with your website using some version of the the TLS protocol and eventually .NET will check which are the supported version you have for your runtime. I don't think that it will try to create connection with everyone of them until it finds the desired version. – kuskmen Nov 13 '17 at 17:23
  • 2
    k. Thanks, I'll look more into this. My process actually goes out to call web services. We want the process to always try Tls12 first before drop download to Tls11... – HockChai Lim Nov 13 '17 at 17:25
  • May I ask why would you consider doing this, I am just curious. :) – kuskmen Nov 13 '17 at 17:37
  • 1
    PCI requirement. But even if there is no such requirement, I would prefer it to try to latest, more secure protocol first. – HockChai Lim Nov 13 '17 at 17:47
  • 1
    Ow, so you are the client not the server and you want to try with the most secure tls version first , that makes sense now. I thought before that you are the server. I'll see what I can do to find what you want to achieve and get back to you. – kuskmen Nov 14 '17 at 08:09

7 Answers7

64

SecurityProtocolType.Tls11 and SecurityProtocolType.Tls12 enum values are missing on Framework 4.0 only.

SecurityProtocolType numeric values:
SystemDefault (0)
Ssl3 (48 - 0x30)
Tls (192 - 0xC0)
Tls11 (768 - 0x300) missing on Framework 4.0
Tls12 (3072 - 0xC00) missing on Framework 4.0

On Framework 4.0, if want to allow TLS 1.0, 1.1 and 1.2, just replace:

SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12

by:

(SecurityProtocolType)(0xc0 | 0x300 | 0xc00)
figolu
  • 1,388
  • 13
  • 6
  • There also used to be a `SecurityProtocolType.SystemDefault` (0x00) that disappeared again after some update. – Louis Somers Sep 28 '18 at 07:48
  • Thanks, this worked in my .NET 4.0, Silverlight 5 project. – cmartin Aug 09 '19 at 15:33
  • 1
    the VB version of this is CType((&HC0 Or &H300 Or &HC00), System.Net.SecurityProtocolType) – Mike W Aug 23 '19 at 16:10
  • Thank you very much for this (SecurityProtocolType)(0xc0 | 0x300 | 0xc00) it saved my day :) – Asaad Mamoun Feb 02 '21 at 15:08
  • 1
    Adding (SecurityProtocolType)(0xc0 | 0x300 | 0xc00) worked for me. But this is so ridiculous. Why should these protocols be removed and then added manually to work? By the way, I'm so grateful @figolu – Ali.DM Mar 10 '22 at 16:00
22

TLS and How to avoid connection errors.

  • .NET 4.6 and above. You don’t need to do any additional work to support TLS 1.2, it’s supported by default.
  • .NET 4.5. TLS 1.2 is supported but it’s not a default protocol. You need to opt-in to use it. The following code will make TLS 1.2 default, make sure to execute it before making a connection to secured resource:
    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
  • .NET 4.0. TLS 1.2 is not supported, but if you have .NET 4.5 (or above) installed on the system then you still can opt in for TLS 1.2 even if your application framework doesn’t support it. The only problem is that SecurityProtocolType in .NET 4.0 doesn’t have an entry for TLS1.2, so we’d have to use a numerical representation of this enum value:
    ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;
  • .NET 3.5 or below. TLS 1.2 is not supported (*) and there is no workaround. Upgrade your application to more recent version of the framework.

Personally on my .Net 4.0 Framework with some asp classic files I used:

    ServicePointManager.SecurityProtocol = (SecurityProtocolType)(0xc0 | 0x300 | 0xc00);

https://blogs.perficient.com/2016/04/28/tsl-1-2-and-net-support/

Landscaper3345
  • 365
  • 2
  • 11
  • 1
    Hi, I am facing this exception error `Authentication failed because the remote party has closed the transport stream.`. during a HTTP request. Client runs under DotNet 4.0, I used the code `ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;` before sending the request. Still i am getting exception error. Do you have any clue fix it? – Pranesh Janarthanan Jan 21 '20 at 06:40
  • Have you tried: ServicePointManager.SecurityProtocol = (SecurityProtocolType)(0xc0 | 0x300 | 0xc00); – Landscaper3345 Jan 22 '20 at 17:21
  • Yes, during bebug. First HTTP Request fails with this error, and further consecutive request is pass. Why its failed in first? – Pranesh Janarthanan Jan 23 '20 at 18:14
  • Vb.net: System.Net.ServicePointManager.SecurityProtocol = CType((&HC0 Or &H300 Or &HC00), SecurityProtocolType) – pghcpa Mar 01 '22 at 06:39
15

Are you on .net 4.0? You should be at least 4.5 to use it. You can try to update your web target framework version: TLS 1.2 in .NET Framework 4.0

Teoman shipahi
  • 47,454
  • 15
  • 134
  • 158
2

For vb.net

ServicePointManager.SecurityProtocol = DirectCast(&HC0 Or &H300 Or &HC00, SecurityProtocolType)
Suraj Rao
  • 29,388
  • 11
  • 94
  • 103
Champu
  • 21
  • 1
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – MD. RAKIB HASAN Sep 06 '22 at 11:52
1

Website is already on .Net 4.5, Later updating the Compilation > TargetFramework manually from 4.0 to 4.5 fixed the issue for me.

Here's is the updated configuration

<compilation debug="true" targetFramework="4.5">
  <assemblies>
    <add assembly="System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
    <add assembly="System.Net, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
  </assemblies>
</compilation>
IKriKan
  • 1,069
  • 12
  • 12
0

About your concerns which version of TLS your application(client) and the server you are trying to connect will use.

Directly quoted from the RFC 5246 standard for TLS.

  • During ClientHello (first request client makes to the server)

    The version of the TLS protocol by which the client wishes to communicate during this session. This SHOULD be the latest (highest valued) version supported by the client.

  • During ServerHello (first request that server responds with)

    This field will contain the lower of that suggested by the client in the client hello and the highest supported by the server.

ClientHello and ServerHello are structures with fields which are described in the standard here.

TL;DR

When using System.Net.WebRequest your application will negotiate with the server to determine the highest TLS version that both your application and the server support, and use it.

Regarding your question.

  • You can find the supported TLS protocol versions by .NET here but please verify .NET framework version you are using and navigate to the right version in the msdn.
Community
  • 1
  • 1
kuskmen
  • 3,648
  • 4
  • 27
  • 54
0
ServicePointManager.SecurityProtocol = (SecurityProtocolType)(0xc0 | 0x300 | 0xc00);
Suraj Rao
  • 29,388
  • 11
  • 94
  • 103
Nikhil Varghane
  • 21
  • 4