Posted By: Anonymous
What is the default security protocol for communicating with servers that support up to
TLS 1.2? Will
.NET by default, choose the highest security protocol supported on the server side or do I have to explicitly add this line of code:
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
Is there a way to change this default, besides a code change?
.NET 4.0 only support up to
TLS 1.0? i.e. I have to upgrade client projects to 4.5 to support
My motivation is to remove support for
SSLv3 on the client side even if server supports it (I already have a powershell script to disable this in the machine registry) and to support the highest TLS protocol that the server supports.
Looking at the
ServicePointManager class in
.NET 4.0 I see no enumerated values for
TLS 1.0 and
1.1. In both
.NET 4.0/4.5, the default is
SecurityProtocolType.Tls|SecurityProtocolType.Ssl3. Hopefully this default won’t break by disabling
SSLv3 in the registry.
However, I’ve decided I have to upgrade all apps to
.NET 4.5 and to explicitly add
SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12; anyway to all bootstrapping code of all applications.
This will make outbound requests to various apis and services to not downgrade to
SSLv3 and should select the highest level of
Does this approach sound reasonable or overkill? I have many applications to update, and I want to future proof them since I hear even
TLS 1.0 may be deprecated in the near future by some providers.
As a client making outbound requests to APIs, does disabling SSL3 in the registry even have an effect in the .NET framework? I see by default, TLS 1.1 and 1.2 are not enabled, do we have to enable it via the registry? RE http://support.microsoft.com/kb/245030.
After a bit of investigation, I believe the registry settings will have no affect since they apply to IIS (server subkey) and browsers (client subkey).
Sorry this post turned into multiple questions, followed up with “maybe” answers.
Some of the those leaving comments have noted that setting
System.Net.ServicePointManager.SecurityProtocol to specific values means that your app won’t be able to take advantage of future TLS versions that may become the default values in future updates to .NET. Instead of specifying a fixed list of protocols, you can instead turn on or off protocols you know and care about, leaving any others as they are.
To turn on TLS 1.1 and 1.2 without affecting other protocols:
System.Net.ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
Notice the use of
|= to turn on these flags without turning others off.
To turn off SSL3 without affecting other protocols:
System.Net.ServicePointManager.SecurityProtocol &= ~SecurityProtocolType.Ssl3;