Restrict anything but TLS 1.2 serverside WCF

Question

I have a simple question but can't find an answer anywhere. I have a WCF-Server-Application. I want it to use ONLY TLS1.2.

I have no control over the client and am not able to edit the SCHANNEL settings on the machine.

I did already try the following which seems to work only for outgoing connections (clientside)

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 

Is there any way to restrict anything but TLS 1.2 serverside per code?

EDIT: I am using a net.tcp binding and create bindings like that:

private static Binding CreateNetTcpBinding()
    {
        return new NetTcpBinding
        {
            ReceiveTimeout = TimeSpan.FromMinutes(10),

            ReliableSession =
            {
                Enabled = true,
                InactivityTimeout = TimeSpan.FromMinutes(1)
            },
            Security =
            {
                Mode = SecurityMode.Transport,
                Transport =
                {
                    ClientCredentialType = TcpClientCredentialType.Windows,
                    ProtectionLevel = ProtectionLevel.EncryptAndSign,
                    SslProtocols = SslProtocols.Tls12
                },
                Message =
                {
                    AlgorithmSuite = SecurityAlgorithmSuite.xxx <-- not here on purpose,
                    ClientCredentialType = MessageCredentialType.Windows
                }
            }
        };
    }

If someone could tell me where to check the TLS-Version of the current connection (some context) that would also be enough!

Thank you in advance!

Answer 1

There are indeed a few properties in the ServicePointManager beside SecurityProtocol which are checked during the authentication step, but they are all internal. There also seem to be no visible backdoor to override the entire implementation of the SslStream or TcpTransportSecurity which are implementing the skeleton of the Transport Security for the NetTcpBinding either.

public partial class ServicePointManager {
    ...
    internal static bool DisableStrongCrypto
    internal static bool DisableSystemDefaultTlsVersions 
    internal static SslProtocols DefaultSslProtocols
    ...
}

If you have write permission for server machine registry, check out what @JohnLouros described very well one year ago in his posts on how to disable weak protocols and how to enable strong cryptography.

Here is another good answer from @MattSmith describing how authentication for the NetTcpBinding is handled by the operating system itself behind the scenes.