How to get metadata using Svcutil.exe with an endpoint that has Tls 1.2

Question

Does any one know how to make SvcUtil.exe connect to an end point that is using TLS 1.2? I am using .Net Framework version 4.6.1.

When I connect using VS 2017 I can see using Fiddler the request is established over a tunnel using a ClientHello handshake that uses Version: 3.3 (TLS/1.2). However when I use the svcutil.exe directly it tries to use a request that tries to establish a tunnel using a ClientHello handshake of Version: 3.1 (TLS/1.0) and subsequently fails.

I was hoping I might be able to set something in the SvcUtil.exe.config like the following:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <runtime>
    <generatePublisherEvidence enabled="false" />
  </runtime>
  <system.net>
    <settings>
        <servicepointmanager securityprotocol="tls12">
        </servicepointmanager>
    </settings>
  </system.net>
</configuration>

That would mirror the equivalent SecurityProtocol property on the ServicePointManager class. However that just produces the following error:

 Unrecognized element 'servicepointmanager'.

I am using the SvcUtil as follows:

SvcUtil https://myserver/myservice/mex

Answer 1

I tried to use the recommended way from the documentation as well but I could not get it to work. So I assumed that it uses some custom configuration sections. Instead I am currently using the following console application to load svcutil.exe and set the required property manually:

using System.Net;
using System.Reflection;

namespace SvcUtil2
{
    class Program
    {
        static void Main(string[] args)
        {
            ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
            // Your SvcUtil path here
            var svcUtilPath = @"C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.1 Tools\SvcUtil.exe";
            var svcUtilAssembly = Assembly.LoadFile(svcUtilPath);
            svcUtilAssembly.EntryPoint.Invoke(null, new object[] { args });
        }
    }
}

I know that it might not answer your actual question but I hope it is still useful.

Answer 2

The solution is to follow and add the HKEY provided in the following link to allow TLS 1.2 only services via svcutil:
https://blogs.msdn.microsoft.com/dsnotes/2015/09/23/wcf-ssltls-failure-during-add-service-reference-system-net-security-sslstate-processauthentication/

In short, the solution is as follows:

• Add the following registry setting DWORD value as 1 and restart the box: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto

• If the application is 32bit running on x64 windows, we need to modify the same key under the:
  HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ SchUseStrongCrypto

I've tried after adding the same and restarting the machine and it works.