TLS 1.2 handshake still possible after only allowing TLS 1.0

1
votes

A customer of mine turned off TLS 1.0 at the OS-level. After that the connection to our product didn't work anymore. The customer does not have the latest version which uses .NET 4.6.1.

As we don't specify the protocol used, we are relying on the default value. According to https://support.microsoft.com/en-us/help/3069494/cannot-connect-to-a-server-by-using-the-servicepointmanager-or-sslstre .NET 4.6 enables TLS 1.2 by default, which would be perfect and what we want.

I wanted to play around with some configurations, for a better understanding. I specified to only allow TLS 1.0 at the code-level with: 

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;

To test the handshake I used openssl. It works perfectly with TLS 1.0, as it should. But to my astonishment the handshake also works with TLS 1.2. 

$ openssl s_client -connect localhost:30050 -tls1_2
<..snip..>
SSL-Session:
    Protocol  : TLSv1.2
    <..snip..>

Are there some .NET or TLS rules I am overseeing? To my understanding TLS 1.2 should not be possible, when specifying TLS 1.0 as the only protocol.

1
c#.netsslcryptographytls1.2
How/Where are you using that code? What's your server?Camilo Terevinto
If an upgrade is possible during negotiation it seems wise to allow one, the docs for that property state Your code should never implicitly depend on using a particular protection level, or on the assumption that a given security level is used by defaultAlex K.
@CamiloTerevinto I am hosting a WCF service in a console.Borgiman
Does setting SecurityProtocol impact inbound or outbound http connections?mjwills
@mjwills I think you nailed it. According to a comment in stackoverflow.com/questions/26389899/…: You only need to set System.Net.ServicePointManager.SecurityProtocol if you are initiating outbound connections from .NET code, e.g. connecting to a web service or API from custom code running on your server. If you are only running a simple web site, and you are only accepting incoming connections from browsers, then the registry fix is enough.Borgiman

1 Answers

2
votes

mjwills in the comments asked, if the SecurityProtocol-Property impacts inbound or outbound connections.

After some research I found the post How do I disable SSL fallback and use only TLS for outbound connections in .NET? (Poodle mitigation) which had a comment that would answer the question:

You only need to set System.Net.ServicePointManager.SecurityProtocol if you are initiating outbound connections from .NET code, e.g. connecting to a web service or API from custom code running on your server. If you are only running a simple web site, and you are only accepting incoming connections from browsers, then the registry fix is enough.