Login/Register
TLS 1.2 in .NET Framework 4.0
Asked Answered
Solved asp.net.net-4.0windows-server-2008-r2tls1.2
J

8

95

I have a Windows server 2008 R2 server running a dozen .NET Framework 4.0 WebForms applications, and I need to disable TLS 1.0 and lower. When I do that, all secure connections fail and I was forced to re-enable TLS 1.0. Is there any way to use TLS 1.2 in a framework 4.0 environment? Perhaps I am missing something?

Also, due to limitations of the version CMS we are using, we cannot upgrade the Framework at this time.

Jackquelin answered 17/11, 2015 at 16:19 Comment(0)
A
48

The only way I have found to change this is directly on the code :

at the very beginning of your app you set 

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

you should include the system.net class

I did this before calling a web service because we had to block tls1 too.

Adenoidal answered 17/11, 2015 at 22:37 Comment(13)
I wasn't able to get this tested in our environment, as we may have found a way to avoid the TLS 1.0 block requirement for now, but it is the most reasonable solution I have come across. Thanks!Jackquelin
This doesn't work for projects targeting .NET 4.0 because SecurityProtocolType has no member Tls12.Lugger
ServicePointManager.SecurityProtocol = (SecurityProtocolType) 3072; That will work in 4.0, although it might require your runtime to be fully patched/updated.Immerge
While this is a year old, the answer, in my eyes, is wrong! It should be updated with the answer provided by @ImmergeCatalepsy
The accepted answer is incorrect if you are using .NET 4.0Nicodemus
Do not hardcode the security protocol. See TLS Best Practices with .NETSulphathiazole
The question is about .NET 4.0 and this code will not compile in .NET 4.0.Mycosis
Downvote reason: answer is wrong and doesn't work (for the reason Martin stated)Controller
@Sulphathiazole What choice do you have if you can't upgrade to .NET 4.5 and have to use TLS 1.2? STW, I am surprised you can set an enum to an undeclared value...wouldn't have expected that to compile or run. ThanksCatechumen
If you don’t have .NET 4.5 you can try forcing TLS version 1.2 using the integer value for the enum. See comment by STW. This will compile but may result in a runtime error if TLS 1.2 is not available to the OS.Sulphathiazole
@xr280xr, keep in mind if you can install .NET 4.5 runtime on the target, you do not need to rebuild your app to target .NET 4.5 as long as you're targetting 4.0 and you set the appropriate registry settings. See here for more details: github.com/TheLevelUp/pos-tls-patcherSulphathiazole
I wouldn't go with hard coding.Katherinkatherina
Hard-coding can't be avoided if you can't upgrade your development environment to .NET 4.5 or later that includes the new SecurityProtocolType. This compiles and works under .NET 4.0, as long as .NET 4.5 or later is installed on the target machine. Best practice may be to upgrade, but this is a practical solution.Dinahdinan
B
111

If you are not able to add a property to system.net class library.

Then, add in Global.asax file:

ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072; //TLS 1.2
ServicePointManager.SecurityProtocol = (SecurityProtocolType)768; //TLS 1.1

And you can use it in a function, at the starting line:

ServicePointManager.SecurityProtocol = (SecurityProtocolType)768 | (SecurityProtocolType)3072;

And, it's being useful for STRIPE payment gateway, which only supports TLS 1.1, TLS 1.2.

EDIT: After so many questions on .NET 4.5 is installed on my server or not... here is the screenshot of Registry on my production server:

I have only .NET framework 4.0 installed.

registry

Bawdyhouse answered 27/9, 2016 at 12:55 Comment(17)
Would this code work for Web Service SOAP requests (ie having added a web reference).Controller
@NickG, This can be done for SOAP.Bawdyhouse
I think this requires .net 4.5 to be installed, so technically this isn't a fix for .net 4.0.Controller
I have .Net 4.0 on my server pre-implemented, this worked.Bawdyhouse
And you don't have 4.5 installed?Controller
It requires .NET 4.5 installed for compilation, but you don't have to target it in the project.Lugger
Future confirmation for anyone: this works on VB .NET 3.5. ServicePointManager.SecurityProtocol = DirectCast(3072, SecurityProtocolType) 'TLS 1.2Scare
@Lugger but you DO need .NET 4.5 installed on the target computer for this to work.Controller
Do you place it in Application_Start ?Weihs
Sorry @zed, not exactly inside Application_start but at the start of Global.asax.cs, we define it as Global variables. so one can use those variables in project.Bawdyhouse
There's a typo in the first occurrence of numeric value of TLS1.1. It reads 786, but should be 768. Using 786 leads to an exception. Tried to edit the respone, but don't have enough reputation yet to edit less than 6 charactersKoger
The first two lines in this post are kind of pointless. You are assigning one value to ServicePointManager.SecurityProtocol and then immediately overwriting it. And then you are overwriting that value later on. Better off using ServicePointManager.SecurityProtocol = ServicePointManager.SecurityProtocol | (SecurityProtocolType)768 | (SecurityProtocolType)3072 in your startup code.Mycosis
@Mycosis : I meant, you can add any ONE of the lines in Global.asax.cs file.Bawdyhouse
The screenshot attached doesn't prove that there is no 4.5+ framework installed. They are shown under v4/Full key with a "Release" keyword: learn.microsoft.com/en-us/dotnet/framework/migration-guide/…Sinasinai
I have to help clarify this, even casting like this does NOT work unless you have .net framework 4.5+ installed on your machine. Please don't waste your time!Hypotenuse
This worked for me in a .NET 4.0 project. There is no .Tls12 member, and using the .Tls member results in the server (SMTP) refusing the connection, but casting the value 3072 to force a pretend .Tls12 value worked and communication with the server was successful.Meeting
TLS 1.2 was not added to .NET 4 until .NET 4.5. So, as a result, you have to recompile your code with .NET 4.5 or it won't have the source code for TLS 1.2 and thus won't work with TLS 1.2 (leaving you with a security hole).Gelatinize
A
90

Make the following changes in your Registry and it should work:

1.) .NET Framework strong cryptography registry keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

2.) Secure Channel (Schannel) TLS 1.2 registry keys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
Adscititious answered 24/5, 2017 at 9:2 Comment(15)
This worked perfectly and did not require me to add the line of code the other posts are talking about.Krick
Fantastic, this managed to get .Net40 to talk to TLS 1.2 Payment gateways and Mail servers. Restart of the WWW Publishing service was sufficient to make it work.Untidy
I needed all of these keys/values, and also needed to restart the server, but after that TLS 1.2 was supported in a .Net 4.0 application without any code changes.Macmullin
I wish it didn't take me 5 hours to find this post. This solved my SSL handshake error (The request was aborted: Could not create SSL/TLS secure channel).Spotty
This failed utterly for my team.Rilke
In order for this to work, you'll also need .NET 4.6 or higher installed. More info here: github.com/TheLevelUp/pos-tls-patcherSulphathiazole
Adiyta, yep, it will work with .NET 4.0 apps that are targetted for .NET 4.0, but .NET 4.5 or higher will need to be installed to use TLS 1.2 with these registries settings. More info here: learn.microsoft.com/en-us/dotnet/framework/network-programming/…Sulphathiazole
thanks you!!! this solved my problem using github's markdown rendering services via MarkdownPad.Metaphysical
Worked for me windows server 2012 r2 .net 4.0, restart iis, no rebootYvetteyvon
correction - .net 4.6.1 is installed but the targeted framework is 4.0Yvetteyvon
Do you have to restart IIS or just recycle app pool?Salazar
Yes, this fixed DBMail (SQL Server Database Email) for us, or rather allowed it to work with (only) TLS 1.2. Astonishing that we still had to do this with SQL Server 2017 CU13 (latest release) on a fresh install of Windows Server 2016 standard (again, fully updated).Icao
Thank you! Had a .net Core project that this worked on. One day debugging started giving an SSL error in the browser and this finally fixed it.Duleba
Can anyone help with this.. do the reg changes have to happen on all clients that have installed my app or just on the computer creating the upload??Acorn
Worked fine on W7 x64 running a x32 application but not in W7 x32.Incongruity
A
48

The only way I have found to change this is directly on the code :

at the very beginning of your app you set 

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

you should include the system.net class

I did this before calling a web service because we had to block tls1 too.

Adenoidal answered 17/11, 2015 at 22:37 Comment(13)
I wasn't able to get this tested in our environment, as we may have found a way to avoid the TLS 1.0 block requirement for now, but it is the most reasonable solution I have come across. Thanks!Jackquelin
This doesn't work for projects targeting .NET 4.0 because SecurityProtocolType has no member Tls12.Lugger
ServicePointManager.SecurityProtocol = (SecurityProtocolType) 3072; That will work in 4.0, although it might require your runtime to be fully patched/updated.Immerge
While this is a year old, the answer, in my eyes, is wrong! It should be updated with the answer provided by @ImmergeCatalepsy
The accepted answer is incorrect if you are using .NET 4.0Nicodemus
Do not hardcode the security protocol. See TLS Best Practices with .NETSulphathiazole
The question is about .NET 4.0 and this code will not compile in .NET 4.0.Mycosis
Downvote reason: answer is wrong and doesn't work (for the reason Martin stated)Controller
@Sulphathiazole What choice do you have if you can't upgrade to .NET 4.5 and have to use TLS 1.2? STW, I am surprised you can set an enum to an undeclared value...wouldn't have expected that to compile or run. ThanksCatechumen
If you don’t have .NET 4.5 you can try forcing TLS version 1.2 using the integer value for the enum. See comment by STW. This will compile but may result in a runtime error if TLS 1.2 is not available to the OS.Sulphathiazole
@xr280xr, keep in mind if you can install .NET 4.5 runtime on the target, you do not need to rebuild your app to target .NET 4.5 as long as you're targetting 4.0 and you set the appropriate registry settings. See here for more details: github.com/TheLevelUp/pos-tls-patcherSulphathiazole
I wouldn't go with hard coding.Katherinkatherina
Hard-coding can't be avoided if you can't upgrade your development environment to .NET 4.5 or later that includes the new SecurityProtocolType. This compiles and works under .NET 4.0, as long as .NET 4.5 or later is installed on the target machine. Best practice may be to upgrade, but this is a practical solution.Dinahdinan
R
33

According to this, you will need .NET 4.5 installed. For more details, visit the webpage. The gist of it is that after you have .NET 4.5 installed, your 4.0 apps will use the 4.5 System.dll. You can enable TLS 1.2 in two ways:

  • At the beginning of the application, add this code: ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;
  • Set the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319: SchUseStrongCrypto to DWORD 1
Rugg answered 15/6, 2016 at 18:12 Comment(2)
In order to get TLS 1.2 without code changes, you'll also need .NET 4.6 installed in addition to the registry keys. More info here: github.com/TheLevelUp/pos-tls-patcherSulphathiazole
The pos-tls-patcher explains the registers that needed to be disabled in detail, even if you do not want to use the code.Wagoner
O
20

There are two possible scenarios,

  1. If your application runs on .net framework 4.5 or less, and you can easily deploy new code to the production then you can use of below solution.

    You can add the below line of code before making the API call,

    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; // .NET 4.5
ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072; // .NET 4.0

  2. If you cannot deploy new code and you want to resolve the issue with the same code which is present in the production, then you have two options.

Option 1 :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

then create a file with extension .reg and install.

Note : This setting will apply at registry level and is applicable to all application present on that machine and if you want to restrict to only single application then you can use Option 2

Option 2 : This can be done by changing some configuration setting in config file. You can add either in your config file.

<runtime>
    <AppContextSwitchOverrides value="Switch.System.Net.DontEnableSchUseStrongCrypto=false"/>
</runtime>

or

<runtime>
  <AppContextSwitchOverrides value="Switch.System.Net.DontEnableSystemDefaultTlsVersions=false"
</runtime>
Offstage answered 18/9, 2020 at 17:22 Comment(0)
A
14

I code in VB and was able to add the following line to my Global.asax.vb file inside of Application_Start

ServicePointManager.SecurityProtocol = CType(3072, SecurityProtocolType)    'TLS 1.2
Above answered 25/8, 2018 at 15:27 Comment(0)
K
1

This works for me.

ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;
ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => true;
Kush answered 30/11, 2023 at 9:9 Comment(0)
G
0

I meet the same issue on a Windows installed .NET Framework 4.0.
And I Solved this issue by installing .NET Framework 4.6.2.
Or you may download the newest package to have a try.

Grecism answered 20/3, 2018 at 5:55 Comment(2)
and what if they need to run 4.5?Buddleia
I have it installed already, and it does not work. The registration keys in fact did the job.Tuchun

© 2022 - 2024 — McMap. All rights reserved.