0

I have a .NET console app with talk to a WCF service. The WCF service then makes a webservice call to an external provider. The external provider is about to turn off support for anything below TLS 1.2

Both of my applications are using .NET framework 4.6 which I believe will automatically negotiate the highest security protocol

The external provider says I am still communicating in TLS 1.0

I have installed fiddler onto one of our app servers to try and see what is happening, here is a screen shot

enter image description here

I'm new to fiddler, is that saying that my client app is attempting to connect in TLS 1.2 but the server responded with TLS 1.0?

David
  • 1,203
  • 6
  • 25
  • 48
  • 2
    Yes, you're correct. I'm not sure if what you're seeing is accurate though because Fiddler is MITM-ing the connection. Use Wireshark, not fiddler. – President James K. Polk Mar 08 '18 at 21:15
  • 1
    Possible duplicate of [.Net Framework 4.6.1 not defaulting to TLS 1.2](https://stackoverflow.com/questions/43872575/net-framework-4-6-1-not-defaulting-to-tls-1-2) – Lex Li Mar 08 '18 at 23:45
  • 1
    If your site is on Internet, use SSL Labs to check exactly what protocols it supports ( https://www.ssllabs.com/ssltest/analyze.html ) – Eugène Adell Mar 09 '18 at 06:24
  • In my experience, even with .NET 4.6 you'll need to set some TLS registry keys to get TLS 1.2 working. We recently wrote about it here: http://blog.thelevelup.com/pci-security-is-your-restaurant-ready/ You can download [TLS Patcher](https://github.com/TheLevelUp/pos-tls-patcher) from GitHub to help with config. – user24601 Mar 19 '18 at 01:33
  • In addition to Wireshark you can also use Microsoft Netmon to verify TLS version negotiation. Here's a tutorial for using Netmon to verify TLS version and applying TLS config: http://blog.thelevelup.com/pci-security-is-your-restaurant-ready/ – user24601 Mar 21 '18 at 03:12

1 Answers1

0

I would not recommend using Fiddler to debug TLS version negotiation because Fiddler is a Man-in-the-Middle (MITM) proxy. I.e., your app is connecting to Fiddler and not the service you're attempting to debug.

A better solution is to use a tool such as Wireshark or Microsoft Network Monitor (aka Netmon) to inspect the TLS packets and view the SSL/TLS handshake.

This article covers using Netmon to determine if your app is attempting to use TLS 1.2 and also covers configuring Windows to use TLS 1.2.

user24601
  • 1,662
  • 1
  • 12
  • 11