-3

How do you fix a broken .net 3.5, C# app that uses SSL to connect to an external server after a user applies PCI 3.1 standards regarding SSL 3.0 and TLS 1.0 incoming and outgoing traffic on their systems?

ShaneLS
  • 466
  • 6
  • 14
  • 1
    This is a blog post, not a question. To fit SO's format, ask a question, and answer it below. –  Feb 09 '18 at 16:14
  • Possible duplicate of https://stackoverflow.com/questions/28286086/default-securityprotocol-in-net-4-5 –  Feb 09 '18 at 16:17
  • That post has nothing to do with someone coming here trying to figure out why their app broke after moving to PCI 3.1. Secondly, I wasn't done posting yet. You're too fast to criticize :D – ShaneLS Feb 09 '18 at 16:20
  • That post has everything to do with getting .Net to use TLS 1.1 and 1.2. And I wasn't concerned with whether you were "done". –  Feb 09 '18 at 16:21
  • In a recent search for a fix to my own PCI 3.1 delema I found no help from the Google and had to figure it out for myself. This post is to stop addition questions from coming in. – ShaneLS Feb 09 '18 at 16:24
  • 1
    @ShaneLS TLS1.2 support has nothing to do with PCI. It doesn't have to do with the *client's* network, it has to do with the services the client calls. The public Internet isn't PCI3.1 compliant and yet GDSs and airlines demand TLS1.2 for since 2016. – Panagiotis Kanavos Feb 09 '18 at 16:24
  • 1
    @PanagiotisKanavos Not strictly true, the client making the connection to the server has to advertise that it supports TLS1.1 or 1.2 when negotiating the connection, otherwise the connection will not use it. Clients with earlier versions of .NET do not automatically advertise TLS1.1 or 1.2 even if they are supported by the OS. In a PCI-compliant environment, both ends have to support only TLS1.1 or 1.2 (with 1.2 being significantly preferred). – Trevor Feb 09 '18 at 16:30
  • @Trevor I said `the client's network`. This question says `after a user applies PCI 3.1 to their network` – Panagiotis Kanavos Feb 09 '18 at 16:30
  • How can PCI not have anything to do with TLS 1.1 or 1.2 when PCI 3.1 compliance demands it? You're making no sense. When my client dissaloud use of SSL 3.0 on their network, my app that used it quit working. It has everything to do with their network setup. Read the PCI article. – ShaneLS Feb 09 '18 at 16:31
  • 1
    @ShaneLS yes, and before that your application had already lost the ability to call a whole lot of services that had moved to TLS1.2. In any case, SO isn't a blog service. This has already been answered. If you search `c# TLS1.2` you'll get 245 results – Panagiotis Kanavos Feb 09 '18 at 16:32
  • Go to Google and type "PCI Compliance 3.1 and C#". This is the only SO article that comes up. – ShaneLS Feb 09 '18 at 16:38
  • I regret retracting my close vote. –  Feb 09 '18 at 16:41
  • I'm assuming by "applies PCI 3.1 to their network" you mean something such as rolling out a group policy registry update to disallow any Windows SChannel from using SSLv3 or TLS1.0 as either a client or server? – Trevor Feb 09 '18 at 16:41
  • @Trevor - Yes, you are correct. The client in question uses a back-office system that is requiring them be 3.1 compliant by end of March. They made the switch early and my app stopped being able to pull information by way of HTTPS in a XmlTextReader to a server that still allowed SSL 3.0. I never even considered the SSL 3.0 issue until now. – ShaneLS Feb 09 '18 at 16:48

1 Answers1

-2

I wanted to get this out here before questions start coming in. I recently had a client upgrade their PCI compliance to 3.1 in which SSL 3.0 or TLS 1.0 traffic in no longer allowed in or out of their systems. Instead, TLS 1.1 and 1.2 are currently the main drivers of secure connections. If you have a .net C# application that connects an external HTTPS site or employs secure SQL connections to a server, there are a few things you need to do.

First, update your apps .net version to 4.5 or higher. .net versions before 4.5 do not have the ability by default to use TLS 1.1 and 1.2. If you have a small app and want to keep your .net 3.5, you can have clients update their PCs using this link: .net 3.5 TLS

Second, if you use .net 4.5, you will need to add a line to your code before making a secure connection to an external site. (In the case of 4.6 or higher, it is suggested that TLS 1.2 is already the default and may not need this additional code.) This code will tell your .net 4.5 app to default to TLS 1.1 or TLS 1.2 before making any attempt using other methods such as SSL 3.0.

System.Net.ServicePointManager.SecurityProtocol =  
    SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

I hope this helps. Here is a document from PCISecurityStandards.org describing the June 2018 deadline for 3.1 compliance: PCI 3.1 Deadline

ShaneLS
  • 466
  • 6
  • 14
  • 3
    No, it doesn't help at all. It creates noise. SO is a Q&A site, not a blog service. **This** question has been asked several dozen times already for the last couple of years. It's also inaccurate - since 4.6 TLS12 is the default – Panagiotis Kanavos Feb 09 '18 at 16:22