Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Disabling TLS 1.0 breaks ASP.NET application

Tags:

asp.net

ssl

iis-8

windows-server-2012-r2

Running on Windows Server 2012R2

I am trying to disable TLS 1.0 on IIS because client has a site scanner which highlights that as a security problem.

I have a clean test server set up and App is running fine until I disable TLS 1.0.

I updated all the appropriate settings:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

In the event viewer, I get:

A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 70. The Windows SChannel error state is 105.

If I revert the registry settings just for TLS 1.0 (Enabled, not DisabledByDefault), everything is fine again.

Using in system.web:

<httpRuntime targetFramework="4.7.2" />

What am I missing?

like image 955
Cade Roux Avatar asked May 14 '18 20:05

Cade Roux

People also ask

How do I know if TLS 1.0 is disabled?

To check for TLS 1.0 you could run Wireshark, on the server, and filter for that kind of traffic ( ssl. handshake. version==0x0301 ). If there is not much then disable TLS 1.0 with IISCrypto, as Alpharius suggested, and test all applications function normally.

Should I disable TLS 1?

However, due to evolving regulatory requirements as well as new security vulnerabilities in TLS 1.0, Microsoft recommends that customers remove TLS 1.0/1.1 dependencies in their environments and disable TLS 1.0 and 1.1 at the operating system level where possible.

Is TLS 1.0 vulnerable?

The Current State of Microsoft's TLS 1.0 implementation Microsoft's TLS 1.0 implementation is free of known security vulnerabilities.

2 Answers

If you are using .net 4.7 or higher try this.

I have used IIS Crypto for this. You disable TLS 1.0 and 1.1, apply and restart. After this all your applications, SharePoints and sites will use TLS 1.2

You should also indicate the destination version in your web.config file

<system.web>
   <httpRuntime targetFramework = "4.7.2" />
   <compilation targetFramework = "4.7.2"> </compilation>
</system.web>

This will make it support TLS 1.2 and also always force this protocol.

like image 113
Vallemar Avatar answered Oct 14 '22 06:10

Vallemar

The application itself must be updated to support TLS 1.2 handshakes, so it's not something you can necessarily change if you only have access to configuration. If the underlying code does not support it, it will not work.

If the code targets .NET 4.6, I believe, TLS 1.2 will work natively. In 4.5, a line of code must be put in place such that it is executed before any networking occurs. The code:

System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12
like image 27
hurlman Avatar answered Oct 14 '22 05:10

hurlman
Sign in to Comment

Related questions

Does a change to an ASP.NET site kill active sessions?
Proper way to include scripts in an asp.net page
User control inside update panel causing full page postback
How to get the "typeof" of a custom user control
Is it possible to have over inheritance to be lost in code?
Running ASP.NET Webforms and ASP.NET MVC side by side
How do I stop other domains from pointing to my domain?
how to show pdf inside the aspx page?
How to add SQL Server database file (.mdf) in Visual Studio without installing SQL Server Express Edition?
Why does adding a newline to StatusDescription in ASP.Net close the connection?
Unobtrusive DateTime? Validation in MVC4
Force PrincipalContext to connect to a specific server
Could not load file or assembly 'Oracle.DataAccess error
Get values of parameters in stack trace
Adding Triggers dynamically on UpdatePanel for dynamially added controls
Do websites in the same application pool share loaded libraries?
How to open a link in new tab using javascript
Is it possible to convert PDF page to Image using itextSharp?
How Force browser to reload cached static file with versioning?
AddJsonOptions not found in ASP.NET Core 2.0

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!