Login/Register
How to get metadata using Svcutil.exe with an endpoint that has Tls 1.2
Asked Answered
Solved wcftls1.2svcutil.exe
S

2

6

Does any one know how to make SvcUtil.exe connect to an end point that is using TLS 1.2? I am using .Net Framework version 4.6.1.

When I connect using VS 2017 I can see using Fiddler the request is established over a tunnel using a ClientHello handshake that uses Version: 3.3 (TLS/1.2). However when I use the svcutil.exe directly it tries to use a request that tries to establish a tunnel using a ClientHello handshake of Version: 3.1 (TLS/1.0) and subsequently fails.

I was hoping I might be able to set something in the SvcUtil.exe.config like the following:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <runtime>
    <generatePublisherEvidence enabled="false" />
  </runtime>
  <system.net>
    <settings>
        <servicepointmanager securityprotocol="tls12">
        </servicepointmanager>
    </settings>
  </system.net>
</configuration>

That would mirror the equivalent SecurityProtocol property on the ServicePointManager class. However that just produces the following error:

 Unrecognized element 'servicepointmanager'.

I am using the SvcUtil as follows:

SvcUtil https://myserver/myservice/mex
Seymour answered 12/10, 2017 at 10:36 Comment(0)
S
4

The solution is to follow and add the HKEY provided in the following link to allow TLS 1.2 only services via svcutil:
https://blogs.msdn.microsoft.com/dsnotes/2015/09/23/wcf-ssltls-failure-during-add-service-reference-system-net-security-sslstate-processauthentication/

In short, the solution is as follows:

  • Add the following registry setting DWORD value as 1 and restart the box: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto

  • If the application is 32bit running on x64 windows, we need to modify the same key under the:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ SchUseStrongCrypto

I've tried after adding the same and restarting the machine and it works.

Shitty answered 16/2, 2019 at 10:28 Comment(3)
I've marked this answer as the correct answer now as it more succinctly solves the problem.Seymour
I tried this recently, and couldn't get SvcUtil to work even with the registry keys. I ended up using the @Blah approachRupp
I was getting this error while using Svcutil: "This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server." This solution is working for me.Gosplan
B
7

I tried to use the recommended way from the documentation as well but I could not get it to work. So I assumed that it uses some custom configuration sections. Instead I am currently using the following console application to load svcutil.exe and set the required property manually:

using System.Net;
using System.Reflection;

namespace SvcUtil2
{
    class Program
    {
        static void Main(string[] args)
        {
            ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
            // Your SvcUtil path here
            var svcUtilPath = @"C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.7.1 Tools\SvcUtil.exe";
            var svcUtilAssembly = Assembly.LoadFile(svcUtilPath);
            svcUtilAssembly.EntryPoint.Invoke(null, new object[] { args });
        }
    }
}

I know that it might not answer your actual question but I hope it is still useful.

Blah answered 10/8, 2018 at 23:34 Comment(4)
kudos on the work around. I am pretty sure the current (since no one has suggested it) SvcUtil process can't be configured any other way to use Tls 1.2. So I'll accept this as the answer. Hopefully Microsoft at some point might update the SvcUtil to include it as a configurable setting.Seymour
Genius, can't believe this works. You can also use the Console.SetOutput etc. to hook the stdout and stderr to check for errors etc.Rupp
I have tried your code but in the "Assembly.LoadFile" code I get the error "System.IO.FileLoadException: 'Could not load file or assembly 'svcutil, Version=4.0.0.0, Culture=neutral, ". Any help?Outman
@XimoDante The classic SvcUtil is a .NET Framework application you cannot load it from a .NET Core or .NET5 Console App. Make sure you created a classic .NET Framework console app.Blah
S
4

The solution is to follow and add the HKEY provided in the following link to allow TLS 1.2 only services via svcutil:
https://blogs.msdn.microsoft.com/dsnotes/2015/09/23/wcf-ssltls-failure-during-add-service-reference-system-net-security-sslstate-processauthentication/

In short, the solution is as follows:

  • Add the following registry setting DWORD value as 1 and restart the box: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto

  • If the application is 32bit running on x64 windows, we need to modify the same key under the:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ SchUseStrongCrypto

I've tried after adding the same and restarting the machine and it works.

Shitty answered 16/2, 2019 at 10:28 Comment(3)
I've marked this answer as the correct answer now as it more succinctly solves the problem.Seymour
I tried this recently, and couldn't get SvcUtil to work even with the registry keys. I ended up using the @Blah approachRupp
I was getting this error while using Svcutil: "This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server." This solution is working for me.Gosplan

© 2022 - 2024 — McMap. All rights reserved.