1

I am working on a C# .NET application that requires communication with different services on different servers. I have no part on the server's configuration, so I have to work with the security demands that they have. All of the communication is made with http calls using Flurl.

I get information from a server that demands SecurityProtocolType to be set to TLS 1.2, so before I send my http request, I set it on my code:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

And that works just fine. Problem is I have to get information from another server that just won't let me authenticate if I have any SecurityProtocol set on ServicePointManager. If I comment my previous set on SecurityProtocol, I can authenticate. If I don't, I can't.

Is there any way I can "unset", ignore or remove that ServicePointManager.SecurityProtocol setting? I have tried do set it to SystemDefaul, and all tls and ssl options, but it will work only if I don't set it at all.

On this second communication (the one where I can't have SecurityProtocol set), I am also ignoring SSL problems with

System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors sslPolicyErrors) {return true;};
Nicole
  • 107
  • 1
  • 2
  • 12
  • 1
    As this is a `[Flags]` enum, you can set multiple protocols by combining them with `|` e.g. TLS 1.1 and 1.2. Does some combination of them work? You can also get specific `ServicePoint`s but I'm not sure you can set this separately on each of them. Be careful with this, as those old protocols have been deprecated as they have known vulnerabilities. Newer versions of .Net Framework default to higher versions. – George Helyar Jul 12 '18 at 18:50
  • 1
    As @George Helyar already said, you can configure the `ServicePointManager` current `ServicePoint` with multiple SSL protocols. For more information on this matter, take a look at this: [Which TLS version was negotiated?](https://stackoverflow.com/questions/48589590/which-tls-version-was-negotiated?answertab=active#tab-top). – Jimi Jul 12 '18 at 21:35
  • 1
    If you do want to achieve what you stated above, you might change `ServicePointManager.SecurityProtocol` every time before sending a request out, and choose the desired SSL/TLS version. I don't recommend using a combination, as nowadays you do need to use TLS 1.2 for most scenarios, and only fall back to TLS 1.0/1.1 when the target server(s) does not support 1.2. – Lex Li Jul 13 '18 at 02:04
  • 1
    @Lex Li Using a combination of SSL protocols, you just enable them, you don't actually choose what protocol is negotiated. It's the SSL Handshake that negotiate that. You have to include in the list (and handle) the most recent possible. There's no fallback because of this that I'm aware of. If you are aware of possible drawbacks, it would be good to hear it. – Jimi Jul 13 '18 at 14:38

1 Answers1

2

As commented above, a combination of protocols does the job. In my case, it had to include TLS 1.0, so this line of code:

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12 | SecurityProtocolType.Ssl3

Solves it (if put right before the HTTP call)

Nicole
  • 107
  • 1
  • 2
  • 12