none
TLS 1.2 restricted by code? RRS feed

  • Question

  • Hello,

    I support a number of servers that host .net applications. I do not know how these applications work under the hood so to speak.

    All of the Server OS's (2008 r2 & 2012 R2) have dotnet 4.6 or 4.7 installed. As far as I am aware TLS 1.2 is supported out of the box without any reg key needing to be added. I have had to add the reg key needed for some test boxes running 4.5.2.

    Our website is making a connection to another .net server (running 4.7) but is failing on the connection. This is going through netscaler (for load balancing) so we can confirm that only TLS 1.2 can be used. but both devices are running 4.6 & up. As soon as we turn on TLS 1.0 back on the application starts working again.

    So finally my question.

    Is it possible to configure a .net application to only allow it to use a specific TLS version? I have been told that the site is compiled using 4.5.2 version of .net & would be a nightmare to redo in 4.6 & up.

    Is there a way that I can test the version of .net from a server rather than the application, to check it is able to use TLS 1.2.

    Sorry for the long rambling question, but running TLS1.0 is a big issue for me.

    Thanks,

    Matt

    Monday, June 10, 2019 8:54 PM

All replies

  • put

    System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12

    before your networking code. Then your code would only work with TLS 1.2. 

    The default value for ServicePointManager.SecurityProtocol in .Net 4.5 is SecurityProtocolType.Tls|SecurityProtocolType.Ssl3. 



    Visual C++ MVP

    Tuesday, June 11, 2019 2:06 AM
  • Hi MattRidd,

    Thank you for posting here.

    For Window server 2008 and 2012R2, if you want to use TLS1.2, you need to download and install KB4019276.

    Please note: For TLS 1.2 to be enabled and negotiated, you must create the DisabledByDefault DWORD entry in the appropriate subkey (Client, Server), and then change the DWORD value to 0.

    By default, this entry does not exist in the registry.

    Registry path:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2

    For more details, please refer to the download link of KB.

    Best Regards,

    Wendy


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, June 11, 2019 2:10 AM
    Moderator