1

I'm no SSL/TLS expert. but encounter the following

We make a connection to a webservice from a supplier and the "security policy" were TLSv1, and everything worked like a charm. This supplier upgraded there security policy to TLSv1_2016.

And since then communcication fails. When they've rolled back all works again.

Now, after looking at the way how we make a connection, I get more confused.

we use .NET (Framework 4.7.0XXX) and use the following class System.ServiceModel.Channels.CustomBinding

according to documentation this should (by default) support Ssl3, Tls, Tls1.1, Tls1.2. https://technet.microsoft.com/en-us/system.servicemodel.channels.sslstreamsecuritybindingelement.sslprotocols(v=vs.96)

Which seems sufficient.

On AWS i found following overview

TLSv1.2 support is enough for SSLv3 TLSv1.0 TLSv1_2016 TLSv1.1_2016 TLSv1.2_2018

TLSv1.1 support is enough for SSLv3 TLSv1.0 TLSv1_2016 TLSv1.1_2016

TLSv1 support is enough for SSLv3 TLSv1.0 TLSv1_2016

so looking at this info. i would guess that our way of making a connection via System.ServiceModel.Channels.CustomBinding should be sufficient to be able to interact with their upgraded (to TLSv1_2016) policy (even if it is TLSv1.1_2016 it should work, i am taking into account a typo in their communication :-) )

Has anyone encountered this issue? or has any idea where to investigate further.

Thanks in advance, Regards, Joe

Joeri H.
  • 11
  • 3

2 Answers2

0

The document you read on MSDN is not correct.

Please do visit the latest at Microsoft Docs, like the Best Practices,

https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls?view=netframework-4.7.2

You did not reveal enough (like your WCF code), but based on Microsoft's information, WCF on older .NET Framework versions by default uses SSL 3.0/TLS 1.0, and you must explicitly choose TLS 1.2 in your code if you cannot upgrade .NET Framework version. (Too many "if else" in that article, so do spend enough time on every relevant paragraphs and carry out experiments accordingly.)

Most importantly, "retarget your assemblies", meaning recompile your assemblies against .NET Framework 4.6.x or 4.7.x.

Lex Li
  • 60,503
  • 9
  • 116
  • 147
  • Thank you, will check it out, however not possible to do so this week, will keep you informed of our findings . – Joeri H. Jul 09 '18 at 08:27
  • If you don't retarget frameworks, this is the relevant line you'll need to add to make your outbound calls use TLS 1.2: `ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12`. – evilSnobu Jul 09 '18 at 12:53
  • Also, this may help, it's a digested, code-centric version of that article - https://github.com/snobu/tls-negotiations. – evilSnobu Jul 09 '18 at 12:54
0

All,

thank you for all your help and suggestions, like I was looking for an answer and could not find it, it is my own fault :-(

I was told we were on Framework 4.7.0, and all of the things I found made no sense, now it seems that our build server was using 4.5.2 framework... and now it all makes sense.

SSL3 and TLS1 and no other possibility in WCF and framework 452...

again, thank you for the assistance and guidance.

Now we are looking to retarget to FW 472.. but there are some issues...

Joeri H.
  • 11
  • 3