.Net Framework 4.6.1 not defaulting to TLS 1.2

53
votes

Our client have recently upgrade the security protocol to TLS 1.2. Therefore We have our application upgraded to 4.6.1 expecting the security protocol will be default to TLS 1.2 but it is not. Any idea why?

11
.netssltls1.2.net-4.6.1
How do you know it's not? What did you try? - Panagiotis Kanavos
TLS 1.2 does work in 4.6.2 by default - using HttpClient to retrieve Google.com homepage (TLS1.2) works without issues - Panagiotis Kanavos
We are getting this error when connecting to server "This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case." However when adding this line in the startup method of Global.asax file fixed this issue. ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12 | SecurityProtocolType.Ssl3; But we want to know why we need to set this if we have our application in .Net 4.6.1 - Harihara Iyer
What error? What code? I can't reproduce anything with a console application targeting 4.6.1. If the certificate is wrong, you'll get an error with any client, including browsers. - Panagiotis Kanavos
No repro with a console application targeting 4.6.1 on Windows 10, calling a web page that only accepts TLS1.2 with HttpClient. In fact, if I force TLS1.1 I get The request was aborted: Could not create SSL/TLS secure channel.. - Panagiotis Kanavos

11 Answers

51
votes

I had a similar problem and this is what worked for me.

  1. open Powershell and check for supported protocols by using [Net.ServicePointManager]::SecurityProtocol

  2. Run the following 2 cmdlets to set .NET Framework strong cryptography registry keys:

    set strong cryptography on 64 bit .Net Framework (version 4 and above)

    Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord

    set strong cryptography on 32 bit .Net Framework (version 4 and above)

    Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord

  3. Restart Powershell and check again for supported protocol by using [Net.ServicePointManager]::SecurityProtocol

It should now display Tls12 as well.

Hope this helps

25
votes

As others have mentioned there are a number of Windows Registry keys that must be set to enable TLS 1.2 in existing .NET applications without explicitly setting the protocol version in application code.

In order to make .NET 4.x code select the strongest available protocol by default (i.e. when a protocol is not explicitly specified in code), the following registry keys are needed:

On 32-bit and 64-bit versions of Windows: HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto: 0X00000001

On 64-bit versions of Windows: HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto: 0X00000001

The WOW6432Node value is needed to enable TLS 1.2 in 32-bit applications when run on 64-bit systems.

But here's the quick and easy solution: https://github.com/TheLevelUp/pos-tls-patcher

Update:

If you're targetting .NET 4.6 or 4.7 you'll be interested in Transport Layer Security (TLS) best practices with the .NET Framework.

Note that TLS Patcher linked above very much follows the Microsoft recommendation for existing .NET 4.0 and 4.5 apps that cannot target .NET 4.6 or higher.

21
votes

The reason why the security protocol did not default to TLS 1.2 is because there is no default value for this in .NET Framework 4.6.1. Sorry if this is reiterating what's already been said but I wanted to elaborate and I don't have enough reputation to comment.

There is no default value in 4.6.2 either, however like one of the commenters mentioned above, a console application does seem to default to TLS 1.2. I tried the exact same code in a website project targeting 4.6.2 and it did NOT default to TLS 1.2.

4.7 and above does have a default value of SecurityProtocolType.SystemDefault.

"This allows .NET Framework networking APIs based on SslStream (such as FTP, HTTP, and SMTP) to inherit the default security protocols from the operating system or from any custom configurations performed by a system administrator"

https://docs.microsoft.com/en-us/dotnet/api/system.net.servicepointmanager.securityprotocol?view=netframework-4.7#System_Net_ServicePointManager_SecurityProtocol

7
votes

We experienced a similar problem while hosting our .NET 4.6.2 application in IIS.

We could solve the problem by adding the httpRuntime element to the web.config. Without it our service did not default to TLS 1.2. 

<httpRuntime targetFramework="4.6.2" />

For more info see https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.httpruntimesection?view=netframework-4.7.2

6
votes

MSDN: ServicePointManager.SecurityProtocol Property

This property selects the version of the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol to use for new connections that use the Secure Hypertext Transfer Protocol (HTTPS) scheme only; existing connections are not changed. Note that no default value is listed for this property, on purpose.

The security landscape changes constantly, and default protocols and protection levels are changed over time in order to avoid known weaknesses. Defaults will vary depending on individual machine configuration, and on which software is installed, and on which patches have been applied.

Taken from here

5
votes

I faced the problem too. When local application tried to connect to a server that supports TLS 1.1 and TLS 1.2 it used to get "An existing connection was forcibly closed by the remote host" exception or when TLS 1.1/1.2 were not enabled properly it used to get "Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm"

Below there are all registry keys and values that are needed for x64 windows OS. If you have 32bit OS (x86) just remove the last 2 lines. TLS 1.0 will be disabled by the registry script. Restarting OS is required. 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\server]
"disabledbydefault"=dword:00000001
"enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ssl 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ssl 3.0\client]
"disabledbydefault"=dword:00000001
"enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ssl 3.0\server]
"disabledbydefault"=dword:00000001
"enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\tls 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\tls 1.0\client]
"disabledbydefault"=dword:00000001
"enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\tls 1.0\server]
"disabledbydefault"=dword:00000001
"enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\tls 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\tls 1.1\client]
"disabledbydefault"=dword:00000000
"enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\tls 1.1\server]
"disabledbydefault"=dword:00000000
"enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\tls 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\tls 1.2\client]
"disabledbydefault"=dword:00000000
"enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\tls 1.2\server]
"disabledbydefault"=dword:00000000
"enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
5
votes

Based on the following link

https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls

I've added 

AppContext.SetSwitch("Switch.System.Net.DontEnableSystemDefaultTlsVersions", false);

to my code, and this fixed the issue for me. This is meant to default to the highest level the OS supports, which is the same behaviour you get by default from 4.7 and above.

1
votes

I did the following steps to use the latest security protocol TLS v.1.2:

Disable the old protocols SSL2.0, SSL3.0, TLS1.0, TLS1.1, enable TLS1.2 and enable strong cryptography for .NET Framework in the registry.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
0
votes

I used this in my code on the initial page. The app is web forms in VB.NET with .NET Framework 4.6.1

System.Net.ServicePointManager.SecurityProtocol =  System.Net.SecurityProtocolType.Tls12
0
votes

I tried the following code in my api which is not working for Kaltura account integration(bec'z Kaltura API upgraded to TLS 1.2) and it start working. .Net framework is 4.5.2 and server :windows server 2008 r2 where application hosted.

#region To handle TLS (Transport Layer Security) Version and support
            var assembly = Assembly.GetExecutingAssembly();
            var attributes = assembly.GetCustomAttributes(typeof(TargetFrameworkAttribute), false);
            var version = (TargetFrameworkAttribute)attributes[0];

            SecurityProtocolType flag;
            if (Enum.TryParse("Tls11", out flag))
                ServicePointManager.SecurityProtocol |= flag;
            if (Enum.TryParse("Tls12", out flag))
                ServicePointManager.SecurityProtocol |= flag;
#endregion

Thanks.