13

Good afternoon! I use Azure Maps API using HttpClient. How can I enable support of TLS 1.2? As I know in Framework 4.6+ it is supported. And I should not do anything for this to work?

Leniel Maccaferri
  • 100,159
  • 46
  • 371
  • 480
Dmytro
  • 159
  • 1
  • 1
  • 7
  • TLS 1.2 already works. You don't need to do anything. Why the question? What framework (Old/Core, number) and OS version are you using? – Panagiotis Kanavos Dec 18 '19 at 08:47
  • Are you running on an unsupported OS version, eg Windows Server 2008R2 or Windows Vista? You may have to apply some OS patches to enable TLS1.2. – Panagiotis Kanavos Dec 18 '19 at 08:51
  • Do you have an actual question? Is there an actual problem? Are you asking how to verify that TLS1.2 was used perhaps? Or indeed, how to *restrict* connections to only TLS1.2? Which is something you *shouldn't* because you'd have to redeploy your application when TLS1.3 is added – Panagiotis Kanavos Dec 18 '19 at 08:53

4 Answers4

19

Use ServicePointManager to set the security protocol.

Gets or sets the security protocol used by the ServicePoint objects managed by the ServicePointManager object.

HttpClient httpClient = new HttpClient();   

//specify to use TLS 1.2 as default connection
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

This property selects the version of the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol to use for new connections; existing connections aren't changed.

Starting with the .NET Framework 4.7, the default value of this property is SecurityProtocolType.SystemDefault. This allows .NET Framework networking APIs based on SslStream (such as FTP, HTTP, and SMTP) to inherit the default security protocols from the operating system or from any custom configurations performed by a system administrator.

Athanasios Kataras
  • 25,191
  • 4
  • 32
  • 61
  • 3
    You don't need to do that in .NET Framework 4.6+ and supported OS versions. It doesn't *enable* TLS1.2 either, it *prevents* the use of anything lower. Before 4.6, negotiation started from TLS1.1 downwards and that switch was needed to force TLS1.2 – Panagiotis Kanavos Dec 18 '19 at 08:50
  • I might have misunderstood the question, but I think the OP wants to know how to the SecurityProtocol is set for the `HttpClient`. Indeed the code restricts to using only TLS 1.2 as I thought that this was his intent. – Athanasios Kataras Dec 18 '19 at 08:51
  • That would make more sense than the entire question but then, as the docs say, the OP would have to modify the code to support TLS1.3 – Panagiotis Kanavos Dec 18 '19 at 08:55
  • I heard that Azure Maps will retire support for TLS 1.0 and 1.1 from 1 February 2020, and I wanted to know if I should do something in my case. As I understood - nothing, if I use .Net Framework 4.6.1 – Dmytro Dec 18 '19 at 09:56
  • Yeap, the default is the top supported, so basically you need to do nothing as @PanagiotisKanavos said. – Athanasios Kataras Dec 18 '19 at 10:01
  • 1
    I see all these comments saying this is not needed, but this is EXACTLY what I needed to do to get a post to Okta to work. We are using .Net Framework 4.8 and this is in May of 2021. Maybe it depends on the Okta server, I don't know, but this fixed this exact issue for me in this case. – BlueD May 14 '21 at 02:57
  • The error I was getting was: "The existing connection was forcibly closed by the remote host" – BlueD May 14 '21 at 03:06
  • This one liner worked for me. Thank you so much. – Gail Foad Nov 30 '22 at 15:17
9

In general you do not need to specify any configuration in your application to enable adoption of the latest TLS protocol.

Best practices and scenarios are outlined on learn.microsoft.com for earlier than .Net 4.7.

At high level, you should make audit to make sure your application doesn't take any hard dependency on a lower TLS version. But otherwise no work should be required.

We recommend that you:

  • Target .NET Framework 4.7 or later versions on your apps. Target .NET Framework 4.7.1 or later versions on your WCF apps.
  • Do not specify the TLS version. Configure your code to let the OS decide on the TLS version.
  • Perform a thorough code audit to verify you're not specifying a TLS or SSL version.

When your app lets the OS choose the TLS version:

  • It automatically takes advantage of new protocols added in the future, such as TLS 1.3.
  • The OS blocks protocols that are discovered not to be secure.
Daniel Stack
  • 166
  • 2
1

It will be worth exploring Microsoft documentation on the TLS best practice

For me the issue was solved by adding one of the below registry keys:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
m02ph3u5
  • 3,022
  • 7
  • 38
  • 51
Sony
  • 11
  • 2
0

have to say two things are true:

1.) the http client in dot net 4.7.2 reads out the SystemDefaultTLSVersions the 4.6 doesnt. IF not present the 4.7.2 negitates only till SSL 3.0 and then stops. That was a fundamental change, and applications with that http client better do add the registriy value by their product setup separately.

2.) the OS does not block anything by default. The administrator must disable the lower levels of encryption they should not be used. And this happens technically below the schannel registry keys.

just one example... for forcing TLS 1.1 you must disable tLS 1.0, SSL 3.0 ssl 2.0 and PCI 2.0 like this

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000

TLS 1.1 will have Disabledbydefault=0 and Enabled=1 In Server 2022 there is also one for TLS 1.3

codeguru
  • 1
  • 1