Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is TLS 1.1 and TLS 1.2 enabled by default for .NET 4.5 and .NET 4.5.1?

Tags:

c#

.net

ssl

wcf

tls1.2

On our Windows 2012 Server R2, we need to disabled TLS 1.0.

However we have .NET 4.5 Wcf services running. We found that if we disable TLS 1.0 that the WCF services no longer run, as we get the error 'An existing connection was forcibly closed by the remote host'.

Is TLS 1.1/1.2 enabled by default in .NET 4.5 and .NET 4.5.1 ? If not, which we assume is the case, where in our WCF project do we force the project to use TLS 1.1/1.2 ?

like image 574
neildt Avatar asked Jan 21 '16 09:01

neildt


People also ask

Is TLS 1.2 Enabled by default?

According to below two articles, TLS 1.2 is enabled by default on Windows 8/Windows Server 2012 and later vsesions. "For TLS 1.2 default settings, see Protocols in the TLS/SSL (Schannel SSP)." While Protocols in the TLS/SSL (Schannel SSP) indicates TLS 1.2 is enabled.

How do you check if TLS 1.1 or 1.2 is enabled?

Click on: Start -> Control Panel -> Internet Options 2. Click on the Advanced tab 3. Scroll to the bottom and check the TLS version described in steps 3 and 4: 4. If Use SSL 2.0 is enabled, you must have TLS 1.2 enabled (checked) 5.

What version of TLS does .NET 4.0 use?

NET 4.0 only supports TLS v1. 0 and there is no standard way of forcing to use never TLS version.


2 Answers

Is TLS 1.1/1.2 enabled by default in .NET 4.5 and .NET 4.5.1?

No. The default protocols enabled for the various framework versions are:

  • .NET Framework 4.5 and 4.5.1: SSLv3 and TLSv1
  • .NET Framework 4.5.2: SSLv3, TLSv1, and TLSv1.1
  • .NET Framework 4.6 and higher: TLSv1, TLSv1.1, and TLS1.2

Sources: [1] [2] [3]

While Microsoft recommends against explicitly specifying protocol versions in favour of using the operating system's defaults:

To ensure .NET Framework applications remain secure, the TLS version should not be hardcoded. .NET Framework applications should use the TLS version the operating system (OS) supports.

... it's still possible to select which protocols your application supports by using the ServicePointManager class, specifically by setting the SecurityProtocol property to the relevant SecurityProtocolTypes.

In your case you would want to use the following:

System.Net.ServicePointManager.SecurityProtocol =     SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12; 

Note that TLSv1 and TLSv1.1 are effectively deprecated as of 2020; you should avoid building new applications that rely on these protocols, and make every effort to upgrade applications that currently use them.

like image 134
Ian Kemp Avatar answered Sep 20 '22 18:09

Ian Kemp


The answer by Ian Kemp works without an issue, but I just wanted to provide another answer that means you don't have to recompile your code.

Anything above .NET 4.5 can support TLS 1.2 however the default of anything lower than .NET 4.7 is TLS 1.1. So if you need to access something using TLS 1.2 you get an error as it will be trying to use the default.

You can add the following code to your configuration file, to override the default.

<runtime>       <AppContextSwitchOverrides value="Switch.System.Net.DontEnableSystemDefaultTlsVersions=false"/> </runtime> 

Update

For .NET Framework 4.7 and later versions, defaults to the OS choosing the best security protocol and version.

For .NET Framework 4.6 to 4.6.2 the AppContext switches can be placed in the app.config or webconfig, as the system default will be set to a lower TLS or SSL Version.

<runtime> <AppContextSwitchOverrides value="Switch.System.Net.DontEnableSystemDefaultTlsVersions=false"/> </runtime> 

For .NET Framework 4.5 to 4.5.2 the registry keys SchUseStrongCrypto and SystemDefaultTlsVersions will need to be set.

HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\<VERSION>: SchUseStrongCrypto 

The SchUseStrongCrypto registry key has a value of type DWORD. A value of 1 causes your app to use strong cryptography and a value of 0 disables strong cryptography. The strong cryptography uses more secure network protocols (TLS 1.2, TLS 1.1, and TLS 1.0) and blocks protocols that are not secure. For .NET Framework 4.5.2 or earlier versions, the key defaults to 0. In that case, you should explicitly set its value to 1.

HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\<VERSION>: SystemDefaultTlsVersions 

The SystemDefaultTlsVersions registry key has a value of type DWORD. A value of 1 causes your app to allow the operating system to choose the protocol. A value of 0 causes your app to use protocols picked by the .NET Framework.

If the application targets .NET Framework 4.6.1 or earlier versions, the key defaults to 0. In that case, you should explicitly set its value to 1.

Example for 32-bit applications that are running on 32-bit OSs and for 64-bit applications that are running on 64-bit OSs, update the following subkey values:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions" = dword:00000001 "SchUseStrongCrypto" = dword:00000001 

For 32-bit applications that are running on 64-bit OSs, update the following subkey values:

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions" = dword:00000001 "SchUseStrongCrypto" = dword:00000001 
like image 45
RickWeb Avatar answered Sep 17 '22 18:09

RickWeb