Default SecurityProtocol in .NET 4.5

前端 未结 17 1384
一生所求
一生所求 2020-11-22 03:24

What is the default security protocol for communicating with servers that support up to TLS 1.2? Will .NET by default, choose the highest security

相关标签:
17条回答
  • 2020-11-22 04:18

    I got the problem when my customer upgraded TLS from 1.0 to 1.2. My application is using .net framework 3.5 and run on server. So i fixed it by this way:

    1. Fix the program

    Before call HttpWebRequest.GetResponse() add this command:

    ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls | SecurityProtocolTypeExtensions.Tls11 | SecurityProtocolTypeExtensions.Tls12;
    

    Extensions 2 DLLs by adding 2 new classes: System.Net and System.Security.Authentication

        namespace System.Net
        {
            using System.Security.Authentication;
            public static class SecurityProtocolTypeExtensions
            {
                public const SecurityProtocolType Tls12 = (SecurityProtocolType)SslProtocolsExtensions.Tls12;
                public const SecurityProtocolType Tls11 = (SecurityProtocolType)SslProtocolsExtensions.Tls11;
                public const SecurityProtocolType SystemDefault = (SecurityProtocolType)0;
            }
        } 
    
        namespace System.Security.Authentication
        {
            public static class SslProtocolsExtensions
            {
                public const SslProtocols Tls12 = (SslProtocols)0x00000C00;
                public const SslProtocols Tls11 = (SslProtocols)0x00000300;
            }
        } 
    
    1. Update Microsoft batch

    Download batch:

    • For windows 2008 R2: windows6.1-kb3154518-x64.msu
    • For windows 2012 R2: windows8.1-kb3154520-x64.msu

    For download batch and more details you can see here:

    https://support.microsoft.com/en-us/help/3154518/support-for-tls-system-default-versions-included-in-the-.net-framework-3.5.1-on-windows-7-sp1-and-server-2008-r2-sp1

    0 讨论(0)
  • 2020-11-22 04:18

    Microsoft recently published best practices around this. https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls

    Summary

    Target .Net Framework 4.7, remove any code setting the SecurityProtocol, thus the OS will ensure you use the most secure solution.

    NB: You will also need to ensure that the latest version of TLS is supported & enabled on your OS.

    OS                          TLS 1.2 support
    
    Windows 10                  \_ Supported, and enabled by default.
    Windows Server 2016         /   
    Windows 8.1                 \_ Supported, and enabled by default.
    Windows Server 2012 R2      /
    Windows 8.0                 \_ Supported, and enabled by default.
    Windows Server 2012         /
    Windows 7 SP1               \_ Supported, but not enabled by default*.
    Windows Server 2008 R2 SP1  /
    Windows Server 2008         -  Support for TLS 1.2 and TLS 1.1 requires an update. See Update to add support for TLS 1.1 and TLS 1.2 in Windows Server 2008 SP2.
    Windows Vista               -  Not supported.
    
    * To enable TLS1.2 via the registry see https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#tls-12 
    
        Path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS1.2\Server
    
            Property: Enabled
            Type: REG_DWORD
            Value: 1
    
            Property: DisabledByDefault 
            Type: REG_DWORD
            Value: 0
    
        Path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS1.2\Client
    
            Property: Enabled
            Type: REG_DWORD
            Value: 1
    
            Property: DisabledByDefault 
            Type: REG_DWORD
            Value: 0
    

    For more information and older frameworks, please refer to the MS link.

    0 讨论(0)
  • 2020-11-22 04:20

    Create a text file with a .reg extension and the following contents:

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
    "SchUseStrongCrypto"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
    "SchUseStrongCrypto"=dword:00000001
    

    Or download it from the following source:

    https://tls1test.salesforce.com/s/NET40-Enable-TLS-1_2.reg

    Double-click to install...

    0 讨论(0)
  • 2020-11-22 04:24

    For completeness, here is a Powershell script that sets aforementioned registry keys:

    new-itemproperty -path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -name "SchUseStrongCrypto" -Value 1 -PropertyType "DWord";
    new-itemproperty -path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -name "SchUseStrongCrypto" -Value 1 -PropertyType "DWord"
    
    0 讨论(0)
  • 2020-11-22 04:24

    According to Transport Layer Security (TLS) best practices with the .NET Framework: To ensure .NET Framework applications remain secure, the TLS version should not be hardcoded. Instead set the registry keys: SystemDefaultTlsVersions and SchUseStrongCrypto:

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
    "SystemDefaultTlsVersions"=dword:00000001
    "SchUseStrongCrypto"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
    "SystemDefaultTlsVersions"=dword:00000001
    "SchUseStrongCrypto"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
    "SystemDefaultTlsVersions"=dword:00000001
    "SchUseStrongCrypto"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
    "SystemDefaultTlsVersions"=dword:00000001
    "SchUseStrongCrypto"=dword:00000001
    
    0 讨论(0)
提交回复
热议问题