1

A customer of mine turned off TLS 1.0 at the OS-level. After that the connection to our product didn't work anymore. The customer does not have the latest version which uses .NET 4.6.1.

As we don't specify the protocol used, we are relying on the default value. According to https://support.microsoft.com/en-us/help/3069494/cannot-connect-to-a-server-by-using-the-servicepointmanager-or-sslstre .NET 4.6 enables TLS 1.2 by default, which would be perfect and what we want.

I wanted to play around with some configurations, for a better understanding. I specified to only allow TLS 1.0 at the code-level with: 

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;

To test the handshake I used openssl. It works perfectly with TLS 1.0, as it should. But to my astonishment the handshake also works with TLS 1.2. 

$ openssl s_client -connect localhost:30050 -tls1_2
<..snip..>
SSL-Session:
    Protocol  : TLSv1.2
    <..snip..>

Are there some .NET or TLS rules I am overseeing? To my understanding TLS 1.2 should not be possible, when specifying TLS 1.0 as the only protocol.

Borgiman
  • 31
  • 6
  • How/Where are you using that code? What's your server? – Camilo Terevinto Feb 06 '18 at 12:12
  • If an upgrade is possible during negotiation it seems wise to allow one, the docs for that property state *Your code should never implicitly depend on using a particular protection level, or on the assumption that a given security level is used by default* – Alex K. Feb 06 '18 at 12:14
  • @CamiloTerevinto I am hosting a WCF service in a console. – Borgiman Feb 06 '18 at 12:14
  • @mjwills I am running my tests using the latest version of our product which uses .NET 4.6.1 – Borgiman Feb 06 '18 at 12:16
  • 1
    Does setting `SecurityProtocol` impact **inbound** or **outbound** http connections? – mjwills Feb 06 '18 at 12:16
  • 2
    @mjwills I think you nailed it. According to a comment in https://stackoverflow.com/questions/26389899/how-do-i-disable-ssl-fallback-and-use-only-tls-for-outbound-connections-in-net: You only need to set System.Net.ServicePointManager.SecurityProtocol if you are initiating outbound connections from .NET code, e.g. connecting to a web service or API from custom code running on your server. If you are only running a simple web site, and you are only accepting incoming connections from browsers, then the registry fix is enough. – Borgiman Feb 06 '18 at 12:22

1 Answers1

2

mjwills in the comments asked, if the SecurityProtocol-Property impacts inbound or outbound connections.

After some research I found the post How do I disable SSL fallback and use only TLS for outbound connections in .NET? (Poodle mitigation) which had a comment that would answer the question:

You only need to set System.Net.ServicePointManager.SecurityProtocol if you are initiating outbound connections from .NET code, e.g. connecting to a web service or API from custom code running on your server. If you are only running a simple web site, and you are only accepting incoming connections from browsers, then the registry fix is enough.

Borgiman
  • 31
  • 6