.NET 4.5 Client fails to connect to Web API Service with SSL 3.0 and RC4 disabled RRS feed

  • Question

  • Best practices (FISMA, SSA-16, PCI 3.0) is now recommending that SSL V3.0 be disabled. It's also recommending that RC4 and all but GRC ciphers be disabled because they're all vulnerable to attack. (They're also trying to force TLS 1.2 only, although they're supporting TLS 1.0 and TLS 1.1 fall back)

    However if you setup a Windows Server (and IIS) to disable SSL V3.0 (But leave TLS 1.0, 1.1, and 1.2 enabled) and all but GRC ciphers, all .net clients using HttpClient to connect fail saying no compatible protocol supported.

    I have set it to use TLS but still a no go and I can't figure out how to tell it to use a GRC cipher.

    The only way I could get this to work was to leave RC4 cypher enabled, then it worked, but RC4 is "at risk" and recommended to be disabled.

    Anyone have a work around for how to turn on TLS 1.2 and GRC in .NET 4.5 client so that it will connect to a server configured to best practices (and being pushed hard by PCI?)

    (And Microsoft, you need to release a patch for .NET so that this is the default behavior!)

    Friday, January 23, 2015 2:21 PM

All replies