Can't get SslStream in C# to accept TLS 1.2 protocol with .net framework 4.6

Question

I have made a program that is supposed to accept an SSL connection. I want it to only accept TLS 1.2 to increase security.

To do this I have installed .net framework 4.6 and compiled the SW, using Visual studio 2015 express on a Windows 7 Professional SP1 pc. Target framework under "application" in VS have been set to 4.6

In the SW I use SslStream method to verify the certificate, and to ensure that only TLS 1.2 is used, I enter the line

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12

I've tried inserting this line both at main() and just before making a new SSL stream

For test I use openssl to connect, with the command:

openssl s_client -connect 10.0.0.101:1400 -tls1_2 -cert MyCert.pem -key private.pem -CAfile entrust.cer

My problem is that the C# program gets the following exception:

Exception: A call to SSPI failed, see inner exception.

Inner exception: The function requested is not supported

Output from OpenSsl is

CONNECTED(00000150) 7964:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:.\ssl\s3_pkt.c:362:

no peer certificate available

No client certificate CA names sent

SSLL handshake has read 5 bytes and written 7 bytes

New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1457011106 Timeout : 7200 (sec) Verify return code: 0 (ok)

If I use -tls1 there is no problems, so I assume that it is because the .net SslStream doesn't support tls1_2 (or tls1_1)

Is there anyone that can explain what I do wrong

/Karsten

Answer 1

The ServicePointManager setup will fix web calls (for example with WebClient), but for SslStream you need a bit more. You need to provide the accepted security protocols in your call to AuthenticateAsClient. So instead of

sslStream.AuthenticateAsClient(hostname);

do this

sslStream.AuthenticateAsClient(hostname, null, SslProtocols.Tls12, true);