Thread safety using ServicePointManager.SecurityProtocol -- I need experts' advice RRS feed

  • Question

  • I'm writing a system in which separate threads connect to different servers over HTTPS.

    One of the remote server I need to connect to is really dumb (Oracle App Server-10g) and requires me to downgrade the the Security-Protocol to SSL3 instead of the TLS.

    The only strategy I know to make it work, is to set the value SecurityProtocolType.Ssl3 in the property SecurityProtocol of the ServicePointManager class. (more info here). But also have to deal in parallel with other smarter servers which are requiring Tsl secutity protocol.

    - since ServicePointManager is a static class,
    - and since I have several threads consumings services from different Https servers at the same time (some with Ssl3, some with Tls),
    => is there any potential threading problem by switching back in forth between static SecurityProtocol.ServicePointManager from Ssl3 to Tls?
    => does setting a value is SecurityProtocol.ServicePointManager in one thread, impact the other threads?

    Corrolary Question:
    => does setting a value is SecurityProtocol.ServicePointManager in one application, impact the other applications?
    Friday, October 23, 2009 12:56 AM

All replies

  • The SecurityProtocolType enumeration
    http://msdn.microsoft.com/en-us/library/system.net.securityprotocoltype.aspx is a Flags attribute, so you can set it to use both. In the SSL Handshake, the client will advertise that it supports both protocols, and it will chose the strongest from those advertised by the server.
    My blog
    Instruction on how to create a tracelog with your System.Net application
    Friday, October 23, 2009 9:05 PM
  • Hi Feroze Daud,

    If I understand your point, you are suggesting to make the ServicePointManager's SecurityProtocol more "polyvalent", by handshaking with all encryptions provided with both SSL3 and TLS. This way I would, hopefully, not need to bother about different threads using a different SecurityProtocols. This is, somehow, a work arround.

    I did try it (and just re-tried it), but my remote "Oracle App Server-10g" is very picky and would handshake my connection only if I provide Ssl3 alone. When I use Tls or Tls + Ssl3 (I mean a binary "or") into the SecurityProtocol, my connection gets rejected!

    My questions are still pending, and I'm still unsure about how thread are managed regarding the "global" settings of the ServicePointManager.

    Thanks anyway!
    Tuesday, October 27, 2009 5:27 AM
  • Did you find the answer for this question?
    Thursday, March 24, 2011 7:43 PM
  • Yes, you should put a lock so that you set the protocol, make a request, set it back.

    You only need to do this once for each Host you are making a connection to.  You need to do this before you make the request because once it is set, your service point object for that host will retain that setting for subsequent requests.

    If you know the URLs you are going after ahead of time you could do this at startup.



    Set ServicePointMgrProtocoltype.

    Make dummy HttpWebRequest to the http://firstsite

    Set ServicePointMgrProtocoltype.

    Make dummy HttpWebRequest to the http://secondsite









    This will only affect your application.  The class is static but exists in your application code only.

    Jeff Sanders (MSFT)
    Thursday, March 24, 2011 8:02 PM