0

I have a web application integrated to some services and APIs. Some of these services, unfortunately, only supports communication through TLS 1.1, but the newer ones require TLS 1.2.

I have tried to add the following initialization code:

ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12

Or even a complete list of supported protocols:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12

In both cases, it seems that the framework only tries to use Tls12. When I try to communicate to the older services, the following exception is thrown:

The request was aborted: Could not create SSL/TLS secure channel.

How to keep the both protocols enabled? I am hoping to find a solution that could activate some kind of automatic fallback…

Daniel Brilho
  • 190
  • 2
  • 5
  • *"... it seems that the framework only tries to use Tls12..."* - how did you check? If you've looked at the TLS ClientHello: it is pretty normal that the Client announces the best version it supports. A proper server will then response with the best version (equal or lower to client version) it supports and if the client accepts this it is fine. – Steffen Ullrich Jan 16 '20 at 21:09
  • Using "SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12" and inspecting with Fiddler, in the "CONNECT" request there is a "Version: 3.3 (TLS/1.2)" (raw inspector). When I change to only "SecurityProtocolType.Tls11", it works perfectly. – Daniel Brilho Jan 16 '20 at 22:12
  • Have you checked whether the Server is asking to validate its certificate(s), when the connection, in the handshake, is *demoted* to TLS1.1? Add a [ServerCertificateValidationCallback](https://learn.microsoft.com/en-us/dotnet/api/system.net.servicepointmanager.servercertificatevalidationcallback), set a breakpoint and see whether its hit. All this must be set before any connection is initialized, of course (so, the ServicePointManager is configured before anything else). This could be useful: [Which TLS version was negotiated?](https://stackoverflow.com/a/48675492/7444103). – Jimi Jan 17 '20 at 01:59
  • @DanielBrilho: Again, it is perfectly normal for the client to start with the maximum version it supports. The server is supposed to reply with a lower version if it does not support the clients version. If the server does not do it then the server is terribly broken and should be fixed instead of worked around through non-standard measures (i.e. retry again with a lower version in a new connection). – Steffen Ullrich Jan 17 '20 at 08:31

0 Answers0