0

Good Morning

I would like your help. First all I want to say that I am new in .NET and I want to learn daily.

I have one web application that connects to a Gateway to process payments. The company that manages the gateway changes their TLS certificate to TLS 1.2 and now I need to change this on the server and maybe in the web application was developed using .NET (C# code).

I research and I spent more time to discover How can I do that but really I don't find a clear example where should I make exactly the changes?

I found in stackoverflow this link "TLS 1.2 in .NET Framework 4.0" and I'm following the instruction but I don't have clear in the code Should I implement the changes?.

Please, I appreciate any suggestions.

Also, I would like to share some information that could be relevant in my case.

Details. Case: From March I can not process payments.

Other information 1. I read some links but it hard to me change the code because in production I have a compiled version. 2. I can not compile from the Dev environment because these are not the same version. **I have a source but unfortunately, the version in production is different with the version in production. 3. where should I change the TLS in production environment?.

about technical information. 1. I am using .NET 4.0 - Windows Server 2008 Enterprise - SQL Server 2008. 2. I reviewed the regedit for the vars that mention in the link above and I can see the vars; then I could say that I have ready setup the vars according to TLS 1.2. 3. The last Friday I restarted the server but I continue with the problem.

Thanks

REG.

Rodrigo
  • 1
  • 2
  • In what way is it not the same version? Are you talking about the .NET Framework or have you lost an old version of your source code? – ZiggZagg Apr 16 '18 at 17:16
  • Hi Zigg. what way is it not the same version?. Well does means that when I was hired here I found old sources vs the current version in production plus the version in production is compiled. – Rodrigo Apr 17 '18 at 00:17
  • **continue**. (e.g. If I need to implement new request on exists aspx pages I use dev environment to built the solution but when I need to deploy in production, unfortunately, I need to mixed C# and HTML on the same page in production "I know this is not good way but I don't have other option by now". – Rodrigo Apr 17 '18 at 00:17
  • **continue** Also, I see that the .net Framework is different. e.g. In production in the regedit I saw in the .NET Cross-Platform/SDK folder the var version is showing 1.0.1069.0 and in the .Net Framework folder I saw v2.0 - v3.0 - v4.0.30319. Also, as I mention in the query I saw the vars required to use TLS using a .NET Framework 4.0. In my local machine, I saw version 4.6.xx. Also, I am unable to change code (e.g. https://www.dominio.com/customer/signup) because I cannot compile the version that I have in dev to the public in production. Please, let me know if you understand me!. – Rodrigo Apr 17 '18 at 00:18
  • this executable has to be recompiled using 4.5 or higher. is that not the problem? – MichaelEvanchik Apr 17 '18 at 19:44
  • if your staying on 4.0 framework this code needs to be used ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072; – MichaelEvanchik Apr 17 '18 at 19:46
  • Michael, I can not compile. If I try to put line of code in Global.aspx show error. – Rodrigo Apr 18 '18 at 20:22
  • Stop your "continue" in comments. Edit your question to include new information please. Besides, is your app working as TLS client or TLS server? Describe the problem with necessary details, and don't let others to guess. – Lex Li Apr 19 '18 at 15:47
  • Hi Lex Li, I belive my question is clear "How can I setup TLS certificate on Windows Server 2008 R2 Enterprese and Web application in .NET? " and I explain the details for this case. Please, let me know what more details do you want?. – Rodrigo Apr 20 '18 at 17:00
  • Hi Michael when I tried putting the code show this error: System.Net.ServicePointManager.SecurityProtocol is a property but is used like a type. – Rodrigo Apr 20 '18 at 17:14

1 Answers1

0

I am using .NET 4.0 - Windows Server 2008 Enterprise - SQL Server 2008. 2. I reviewed the regedit for the vars that mention in the link above and I can see the vars; then I could say that I have ready setup the vars according to TLS 1.2. 3. The last Friday I restarted the server but I continue with the problem.

Install Windows updates on the server, make sure to install a newer version of the .NET Framework such as 4.5 (via Windows update or here and here). A newer certificate might require you to install Windows updates or installing an additional certificate to the certificate store in order for it to be accepted. Review IIS AppPool settings and make sure it is actually running at least .NET 4.0.

when I was hired here I found old sources vs the current version in production plus the version in production is compiled

Since you have at least a portion of the source code you have to ask yourself (and your boss) the difficult question whether or not you should rewrite the lost parts or try to recover some of it by copying pages from the production environment to your development enviroment and using a decompiler such as dotPeek, justdecompile and ILSpy. Both options involve a lot of manual work, mostly because recovery via decompilation is not perfect and is going to produce many errors, a rewrite on the other hand is very costly because of the time involved.

Secondly you should immediatly setup a version control system by using modern tools such as git. There are many offers available on the internet that allow you to host private source code for a small fee or completly free (e.g. Bitbucket, GitLab, among others).

Once you have decided wether or not you are going to recover or rewrite you can use the source code that you already have as a baseline. Try to add some changes from the decompiled sources and pages from production or begin to rewrite parts of the most crucial features and iterate.

If not done already try to install a SQL Server Express and tools on your development machine and copy the structure of the tables from the production environment so that the current (old) version will start on your development machine and you can verify that it works locally without the need of the production environment.

You should also verify if you can install Windows updates and newer versions of the .NET Framwork and IIS so that your development machine and the production environment run roughly the same version of the .NET Framework. Microsoft offers advice on which versions are supported by which operating system here, If you are using an old version of IIS, version 10 can be found here.

If the certificate used by the payment gateway is too new, it could also be the case that you need to install Windows updates or an additional certificate to the windows certificate store.

Furthermore I would suggest that you setup your development machine so that you can test the payment gateway (e.g. with a fake product). Try to imitate the most crucial parts and make sure the .NET version you are developing locally is compatible with version constraints of your IIS version.

Alternatively try to setup a minimal development environment on the production environment e.g using SharpDevelop or LinqPad and write a little bit of C# code that you can quickly execute to see if you fixed it.

Stephen Docy
  • 4,738
  • 7
  • 18
  • 31
ZiggZagg
  • 1,397
  • 11
  • 16