NET 4.5 can support TLS 1.2 however the default of anything lower than . NET 4.7 is TLS 1.1. So if you need to access something using TLS 1.2 you get an error as it will be trying to use the default. You can add the following code to your configuration file, to override the default.
You must update and retarget to NET Framework 4.6 or later versions to use TLS 1.1 and 1.2.
NET 4.0 only supports TLS v1. 0 and there is no standard way of forcing to use never TLS version.
Some of the those leaving comments on other answers have noted that setting System.Net.ServicePointManager.SecurityProtocol
to specific values means that your app won't be able to take advantage of future TLS versions that may become the default values in future updates to .NET. Instead of specifying a fixed list of protocols, do the following:
For .NET 4.7 or later, do not set System.Net.ServicePointManager.SecurityProtocol
. The default value (SecurityProtocolType.SystemDefault
) will allow the operating system to use whatever versions it knows and has been configured for, including any new versions that may not have existed at the time the app was created.
For earlier versions of .NET Framework, you can instead turn on or off protocols you know and care about, leaving any others as they are.
To turn on TLS 1.1 and 1.2 without affecting other protocols:
System.Net.ServicePointManager.SecurityProtocol |=
SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
Notice the use of |=
to turn on these flags without turning others off.
To turn off SSL3 without affecting other protocols:
System.Net.ServicePointManager.SecurityProtocol &= ~SecurityProtocolType.Ssl3;
The default System.Net.ServicePointManager.SecurityProtocol
in both .NET 4.0/4.5
is SecurityProtocolType.Tls|SecurityProtocolType.Ssl3
.
.NET 4.0
supports up to TLS 1.0
while .NET 4.5
supports up to TLS 1.2
However, an application targeting .NET 4.0
can still support up to TLS 1.2
if .NET 4.5
is installed in the same environment. .NET 4.5
installs on top of .NET 4.0
, replacing System.dll
.
I've verified this by observing the correct security protocol set in traffic with fiddler4
and by manually setting the enumerated values in a .NET 4.0
project:
ServicePointManager.SecurityProtocol = (SecurityProtocolType)192 |
(SecurityProtocolType)768 | (SecurityProtocolType)3072;
Reference:
namespace System.Net
{
[System.Flags]
public enum SecurityProtocolType
{
Ssl3 = 48,
Tls = 192,
Tls11 = 768,
Tls12 = 3072,
}
}
If you attempt the hack on an environment with ONLY .NET 4.0
installed, you will get the exception:
Unhandled Exception: System.NotSupportedException: The requested security protocol is not supported. at System.Net.ServicePointManager.set_SecurityProtocol(SecurityProtocolType v alue)
However, I wouldn't recommend this "hack" since a future patch, etc. may break it.*
Therefore, I've decided the best route to remove support for SSLv3
is to:
.NET 4.5
Add the following to boostrapping code to override the default and future proof it:
System.Net.ServicePointManager.SecurityProtocol =
SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
*Someone correct me if this hack is wrong, but initial tests I see it works
You can override the default behavior in following registry:
Key : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
Value: SchUseStrongCrypto
Type: REG_DWORD
Data : 1
and
Key : HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319
Value: SchUseStrongCrypto
Type: REG_DWORD
Data : 1
For details, please see the implementation of ServicePointManager
.
Create a text file with a .reg
extension and the following contents:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
Or download it from the following source:
https://gist.githubusercontent.com/dana-n/174759ce95e04fa1a8fd691f633ccbd3/raw/NET40-Enable-TLS-1_2.reg
Double-click to install...
I have found that when I specify only TLS 1.2 that it will still down negotiate to 1.1.
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
I have specified this in the Global.asax startup method for my .net 4.5 web app.
Following code will:
Constants:
Other protocols will not be affected. This makes this compatible with future protocols (Tls1.3, etc).
// print initial status
Console.WriteLine("Runtime: " + System.Diagnostics.FileVersionInfo.GetVersionInfo(typeof(int).Assembly.Location).ProductVersion);
Console.WriteLine("Enabled protocols: " + ServicePointManager.SecurityProtocol);
Console.WriteLine("Available protocols: ");
Boolean platformSupportsTls12 = false;
foreach (SecurityProtocolType protocol in Enum.GetValues(typeof(SecurityProtocolType))) {
Console.WriteLine(protocol.GetHashCode());
if (protocol.GetHashCode() == 3072){
platformSupportsTls12 = true;
}
}
Console.WriteLine("Is Tls12 enabled: " + ServicePointManager.SecurityProtocol.HasFlag((SecurityProtocolType)3072));
// enable Tls12, if possible
if (!ServicePointManager.SecurityProtocol.HasFlag((SecurityProtocolType)3072)){
if (platformSupportsTls12){
Console.WriteLine("Platform supports Tls12, but it is not enabled. Enabling it now.");
ServicePointManager.SecurityProtocol |= (SecurityProtocolType)3072;
} else {
Console.WriteLine("Platform does not supports Tls12.");
}
}
// disable ssl3
if (ServicePointManager.SecurityProtocol.HasFlag(SecurityProtocolType.Ssl3)) {
Console.WriteLine("Ssl3SSL3 is enabled. Disabling it now.");
// disable SSL3. Has no negative impact if SSL3 is already disabled. The enclosing "if" if just for illustration.
System.Net.ServicePointManager.SecurityProtocol &= ~SecurityProtocolType.Ssl3;
}
Console.WriteLine("Enabled protocols: " + ServicePointManager.SecurityProtocol);
Runtime: 4.7.2114.0
Enabled protocols: Ssl3, Tls
Available protocols:
0
48
192
768
3072
Is Tls12 enabled: False
Platform supports Tls12, but it is not enabled. Enabling it now.
Ssl3 is enabled. Disabling it now.
Enabled protocols: Tls, Tls12
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With