1

Apologizes if this question is a bit ignorant. I'm trying to figure out a way to make a .NET 4.0 application running under Windows 7 to use TLS 1.3 when making HTTPS requests to the internet.

Context: Software is running in health clinics which for legacy reasons is .NET 4.0/Windows 7 and I can't change those two things without begging hospital IT. However, I can change the software I provide the hospital.

This question makes it seem like it's not possible: Is there a way for Windows 7 to support TLS 1.3 (.NET 4.8)

But... coming from a linux background it just seems bizarre that there are no workarounds. Under linux I believe I could just statically link a newer version of openssl/libcrypto into my app and I would be good to go. Why isn't that an option for .NET 4.0 applications? Shouldn't I be able to bundle in my own openssl/crypto/http client DLLs or something so it doesn't have to rely on Windows 7? I'm asking here before I spend hours attempting this in case I am missing something.

Gillespie
  • 5,780
  • 3
  • 32
  • 54
  • 2
    Windows 7 doesn't support TLS1.3, end-of. It's a monolithic operating system, it doesn't come with loads of different system packages that you can install. Unless of course you want to create your own SChannel provider and link it in, for which there is no documentation. If you want to use a *supported* version of Windows which has the latest security improvements then upgrade. Win7 is completely out of support now, and should really be consigned to the dustbin. In terms of .NET: that is reliant on the OS to provide SChannel support, so if it's not there then even .NET 6 won't help. – Charlieface Jun 15 '22 at 22:05
  • 1
    Seems like the latest cURL is somehow able to use TLS 1.3 under windows 7 though? So seems like as a workaround I could spawn cURL processes to do TLS 1.3 requests for my .NET app? Any downsides to that? – Gillespie Jun 15 '22 at 22:44
  • I would imagine curl uses openssl, as it's part of the Windows Subsytem for Linux. As I said, this seems to be an exercise in futility: there are now so many unfixed security holes in Windows 7 that it's not worth it. – Charlieface Jun 15 '22 at 22:46
  • Yeah I'm with you on that. However, to sell products in real life you have to comply with seemingly unreasonable IT demands as is the case here... (if you develop web services classified as a "medical device" the FDA wants to know why you are allowing – Gillespie Jun 15 '22 at 22:54
  • 2
    Suffice to say, the FDA should certainly be more concerned about the Windows 7 aspect than about TLS 1.2, which is still perfectly secure with the correct cipher suite. I appreciate there is little you can do. Another option might be to run a virtual machine with a newer version of Windows, or event Linux, on top of their OS. – Charlieface Jun 15 '22 at 23:00
  • 2
    @Charlieface *the FDA should certainly be more concerned ...* "Should" and "`$GOVT_AGENCY`" are orthogonal concepts... ;-) – Andrew Henle Jun 15 '22 at 23:02

0 Answers0