Restrict anything but TLS 1.2 serverside WCF

12
votes

I have a simple question but can't find an answer anywhere. I have a WCF-Server-Application. I want it to use ONLY TLS1.2.

I have no control over the client and am not able to edit the SCHANNEL settings on the machine.

I did already try the following which seems to work only for outgoing connections (clientside)

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12

Is there any way to restrict anything but TLS 1.2 serverside per code?

EDIT: I am using a net.tcp binding and create bindings like that: 

private static Binding CreateNetTcpBinding()
    {
        return new NetTcpBinding
        {
            ReceiveTimeout = TimeSpan.FromMinutes(10),

            ReliableSession =
            {
                Enabled = true,
                InactivityTimeout = TimeSpan.FromMinutes(1)
            },
            Security =
            {
                Mode = SecurityMode.Transport,
                Transport =
                {
                    ClientCredentialType = TcpClientCredentialType.Windows,
                    ProtectionLevel = ProtectionLevel.EncryptAndSign,
                    SslProtocols = SslProtocols.Tls12
                },
                Message =
                {
                    AlgorithmSuite = SecurityAlgorithmSuite.xxx <-- not here on purpose,
                    ClientCredentialType = MessageCredentialType.Windows
                }
            }
        };
    }

If someone could tell me where to check the TLS-Version of the current connection (some context) that would also be enough!

Thank you in advance!

2
c#wcfssltls1.2
Been a while since I stumbled upon a good WCF question!iamkrillin
Looks like your issue is addressed in .NET Framework 4.7 - Ability to configure the default message security settings to TLS 1.1 or TLS 1.2Ivan Stoev

2 Answers

1
votes

There are indeed a few properties in the ServicePointManager beside SecurityProtocol which are checked during the authentication step, but they are all internal. There also seem to be no visible backdoor to override the entire implementation of the SslStream or TcpTransportSecurity which are implementing the skeleton of the Transport Security for the NetTcpBinding either.

public partial class ServicePointManager {
    ...
    internal static bool DisableStrongCrypto
    internal static bool DisableSystemDefaultTlsVersions 
    internal static SslProtocols DefaultSslProtocols
    ...
}

If you have write permission for server machine registry, check out what @JohnLouros described very well one year ago in his posts on how to disable weak protocols and how to enable strong cryptography.

Here is another good answer from @MattSmith describing how authentication for the NetTcpBinding is handled by the operating system itself behind the scenes.

-1
votes

Did you try to use ServicePointManager.ServerCertificateValidationCallback.This callback gives you an opportunity to validate Server Certificate by yourself.For example something like this: 

ServicePointManager.ServerCertificateValidationCallback = MyCertHandler; 
    ... 
static bool MyCertHandler(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors error) 
{
     //Your logic here for certificate validation 
}