Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why ServicePointManager.SecurityProtocol default value is different on different machines?

Currently I have an issue and can't find strict answer on it.

I have ASP.NET MVC 5 application targeting 4.6.1 framework and its goal is to work with third party API's that are secured by TLS 1.1/TLS 1.2 protocols.

I have tried to run my application on 2 environments:

  • my local machine Windows 10 with .NET 4.6.2 Framework, IIS Express;
  • server machine Windows Server 2012 with .NET 4.6.1, IIS 8.0;

The issue is in that when I start it locally ServicePointManager.SecurityProtocol default value is set to Ssl3, Tls, so I can't target API's and have to code it on application start to use TLS 1.1/TLS 1.2: ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12.

When application runs on server default value ServicePointManager.SecurityProtocol is set to Tls, Tls11, Tls12, so it works well.

According to documentation applications run on .NET Framework 4.6 or above versions have to use TLS 1.1/TLS 1.2 by default, how it is on remote machine.

Why the default values of ServicePointManager.SecurityProtocol are different? Is it because .NET Framework configuration? Or maybe registry settings? I have searched through it but couldn't find an answer.

like image 252
Oleh Udovytskyi Avatar asked Aug 31 '16 10:08

Oleh Udovytskyi


People also ask

What is the use of ServicePointManager SecurityProtocol?

ServicePointManager. SecurityProtocol . The default value ( SecurityProtocolType. SystemDefault ) will allow the operating system to use whatever versions it knows and has been configured for, including any new versions that may not have existed at the time the app was created.

What is service point manager?

ServicePointManager is a static class that manages the creation and destruction of ServicePoint instances. The ServicePointManager creates a ServicePoint when the application requests an Internet resource that is not in the collection of existing ServicePoint instances.


2 Answers

MSDN: ServicePointManager.SecurityProtocol Property:

Note that no default value is listed for this property, on purpose. The security landscape changes constantly, and default protocols and protection levels are changed over time in order to avoid known weaknesses. Defaults will vary depending on individual machine configuration, and on which software is installed, and on which patches have been applied.

MSDN Blogs: Support for SSL/TLS protocols on Windows:

On Windows the support for SSL/TLS protocols is tied to the SCHANNEL component. So, if a specific OS version doesn’t support a SSL/TLS version, this means it remains unsupported.

MSDN: Cipher Suites in TLS/SSL (Schannel SSP)

Different Windows versions support different TLS cipher suites and priority order. See the corresponding Windows version for the default order in which they are chosen by the Microsoft Schannel Provider.

In other words: this is determined by your Windows version and its patch level.

But like @Damien said, why would you bother what the default level is?

like image 89
CodeCaster Avatar answered Sep 18 '22 07:09

CodeCaster


We can update registry like below to let .Net framework use TLS1.1\TLS1.2, a restart is needed.

I've tried, and the value of ServicePointManager.SecurityProtocol in my machine changed from "Ssl3, Tls" to "Tls, Tls11, Tls12":

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001 
like image 24
strisunshine Avatar answered Sep 21 '22 07:09

strisunshine