Can't get SslStream in C# to accept TLS 1.2 protocol with .net framework 4.6

Question

I have made a program that is supposed to accept an SSL connection. I want it to only accept TLS 1.2 to increase security.

To do this I have installed .net framework 4.6 and compiled the SW, using Visual studio 2015 express on a Windows 7 Professional SP1 pc. Target framework under "application" in VS have been set to 4.6

In the SW I use SslStream method to verify the certificate, and to ensure that only TLS 1.2 is used, I enter the line

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12

I've tried inserting this line both at main() and just before making a new SSL stream

For test I use openssl to connect, with the command:

openssl s_client -connect 10.0.0.101:1400 -tls1_2 -cert MyCert.pem -key private.pem -CAfile entrust.cer

My problem is that the C# program gets the following exception:

Exception: A call to SSPI failed, see inner exception.

Inner exception: The function requested is not supported

Output from OpenSsl is

CONNECTED(00000150) 7964:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:.\ssl\s3_pkt.c:362:

no peer certificate available

No client certificate CA names sent

SSLL handshake has read 5 bytes and written 7 bytes

New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1457011106 Timeout : 7200 (sec) Verify return code: 0 (ok)

If I use -tls1 there is no problems, so I assume that it is because the .net SslStream doesn't support tls1_2 (or tls1_1)

Is there anyone that can explain what I do wrong

/Karsten

After some time I found out that TLS 1.1 and 1.2 isn't enabeled in Win 7 by default. MS gives in TLS/SSL Setting a guide how to enable it by making changes via regedit. My problem now is that when looking at HKEY_LOCAL_MASCHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols I only have an SSL 2.0 entry but as stated it work on SSL3 / TLS1.0. Do I have to make changes in the reg. database ? — Karsten L
I am not familiar with openssl nor using SslStream in listen mode, so I can't answer your question directly. However, I do know that my Windows 7 enables the TLS protocols 1.0, 1.1, and 1.2. The registry entries on SCHANNEL can be used to disable specific protocols, but their default state is enabled. You should not have to change the registry to get this to work. — Prof Von Lemongargle
Hi .. well ... that's one of the things I don't understand... I can connect with TLS 1.2 to a browser etc, but if I try to connect to the console application with TLS 1.2 I'm rejected with the description above, even though I use framework 4.6 in properties and set the TLS 1.2 flag in security protocol flag.... — Karsten L

Eric Eric · Accepted Answer · 2016-10-07T19:51:07

The ServicePointManager setup will fix web calls (for example with WebClient), but for SslStream you need a bit more. You need to provide the accepted security protocols in your call to AuthenticateAsClient. So instead of

sslStream.AuthenticateAsClient(hostname);

do this

sslStream.AuthenticateAsClient(hostname, null, SslProtocols.Tls12, true);

Can't get SslStream in C# to accept TLS 1.2 protocol with .net framework 4.6

1 Answers