0

I am struggling with WCF over TLS 1.2 Our client machine has the TLS 1 and 1.1 disabled. Our Client software is on .Net 4.5 and our server is on .Net 4.8. I have also upgraded the client to .Net 4.8 with no success.

I already have the line of code on the client:

System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;

When my WCF is configured with the below, it does NOT work with the error message: "The client and server cannot communicate, because they do not possess a common algorithm"

  <customBinding>
    <binding name="wsBinding">
      <transactionFlow />
      <security authenticationMode="SecureConversation" messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
        <localClientSettings maxClockSkew="00:30:00" />
        <localServiceSettings maxClockSkew="00:30:00" />
        <secureConversationBootstrap authenticationMode="UserNameForSslNegotiated" messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
          <localClientSettings maxClockSkew="00:30:00" />
          <localServiceSettings maxClockSkew="00:30:00" />
        </secureConversationBootstrap>
      </security>
      <textMessageEncoding>
        <readerQuotas maxDepth="32" maxStringContentLength="104857600" maxArrayLength="104857600" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
      </textMessageEncoding>
      <httpsTransport maxBufferPoolSize="104857600" maxBufferSize="104857600" maxReceivedMessageSize="104857600" />
    </binding>
  </customBinding>

When I remove the <security/> tag from the server and update the client's configuration it works fine:

  <customBinding>
    <binding name="wsBinding" openTimeout="00:05:00" closeTimeout="00:05:00" sendTimeout="00:05:00" receiveTimeout="00:05:00">
      <transactionFlow />
      <textMessageEncoding>
        <readerQuotas maxDepth="32" maxStringContentLength="104857600" maxArrayLength="104857600" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
      </textMessageEncoding>
      <httpsTransport maxBufferPoolSize="104857600" maxBufferSize="104857600" maxReceivedMessageSize="104857600" />
    </binding>
  </customBinding>

The issue is that we need to allow ClockSkew.

Looks like when I add the <security/> Tag is forcing WCF to use TLS 1.0

Does anybody have any idea of what is going on? How can I use ClockSkew and TLS 1.2?

Frederico Almeida
  • 317
  • 4
  • 12
  • The following may be helpful: [Transport Layer Security (TLS) best practices with the .NET Framework](https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls) and https://stackoverflow.com/questions/74790421/application-windows-form-strange-behavior-on-another-computer-with-same-net-fra/74800036#74800036. There are some additional URLs in the following post that may also be of interest: https://stackoverflow.com/a/70674920/10024425 – Tu deschizi eu inchid Feb 10 '23 at 19:50
  • You can refer to the docs for the setting of [ClockSkew](https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-set-a-max-clock-skew). – Jiayao Feb 13 '23 at 07:59
  • I followed the articles above with no success at all. If I remove the clockskew configuration it works, but with clockskew it doesn't work – Frederico Almeida Apr 18 '23 at 17:01

0 Answers0