Is TLS 1.1 and TLS 1.2 enabled by default for .NET 4.5 and .NET 4.5.1?

Asked 21/1, 2016 at 9:56 Answered 9/1 at 8:0

On our Windows 2012 Server R2, we need to disabled TLS 1.0.

However we have .NET 4.5 Wcf services running. We found that if we disable TLS 1.0 that the WCF services no longer run, as we get the error 'An existing connection was forcibly closed by the remote host'.

Is TLS 1.1/1.2 enabled by default in .NET 4.5 and .NET 4.5.1 ? If not, which we assume is the case, where in our WCF project do we force the project to use TLS 1.1/1.2 ?

Broderickbrodeur answered 21/1, 2016 at 9:56 Comment(2)

Generally not, the default protocol is SSL 3. See this #28286586 – Noncontributory 21/1, 2016 at 14:22

Duplicate? #29664474 – Whatnot 21/1, 2016 at 14:23

127

Is TLS 1.1/1.2 enabled by default in .NET 4.5 and .NET 4.5.1?

No. The default protocols enabled for the various framework versions are:

.NET Framework 4.5 and 4.5.1: SSLv3 and TLSv1
.NET Framework 4.5.2: SSLv3, TLSv1, and TLSv1.1
.NET Framework 4.6 and higher: TLSv1, TLSv1.1, and TLS1.2

Sources: [1] [2] [3]

While Microsoft recommends against explicitly specifying protocol versions in favour of using the operating system's defaults:

To ensure .NET Framework applications remain secure, the TLS version should not be hardcoded. .NET Framework applications should use the TLS version the operating system (OS) supports.

... it's still possible to select which protocols your application supports by using the ServicePointManager class, specifically by setting the SecurityProtocol property to the relevant SecurityProtocolTypes.

In your case you would want to use the following:

System.Net.ServicePointManager.SecurityProtocol =
    SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

Note that TLSv1 and TLSv1.1 are effectively deprecated as of 2020; you should avoid building new applications that rely on these protocols, and make every effort to upgrade applications that currently use them.

Aprylapse answered 15/8, 2017 at 12:30 Comment(4)

Thank you so much - it's crazy that this hasnt been selected as the answer. One line of code and you saved me hours of debugging or registry hacking. Thank you. – Lordinwaiting 23/8, 2017 at 19:10

This is definitely correct. However, it's also possible to enable TLS 1.2 without the code changes by installing .NET 4.6 or higher and enabling .NET strong cryptography registry keys. More info here: github.com/TheLevelUp/pos-tls-patcher – Arian 8/3, 2018 at 3:38

Just published: TLS best practices with .NET – Arian 16/3, 2018 at 1:42

this is the easiest way, just put that line (i omitted the Tls11 bit) into the startup code and you are good. – Brasher 12/1, 2023 at 5:50

The answer by Ian Kemp works without an issue, but I just wanted to provide another answer that means you don't have to recompile your code.

Anything above .NET 4.5 can support TLS 1.2 however the default of anything lower than .NET 4.7 is TLS 1.1. So if you need to access something using TLS 1.2 you get an error as it will be trying to use the default.

You can add the following code to your configuration file, to override the default.

<runtime>
      <AppContextSwitchOverrides value="Switch.System.Net.DontEnableSystemDefaultTlsVersions=false"/>
</runtime>

Update

For .NET Framework 4.7 and later versions, defaults to the OS choosing the best security protocol and version.

For .NET Framework 4.6 to 4.6.2 the AppContext switches can be placed in the app.config or webconfig, as the system default will be set to a lower TLS or SSL Version.

<runtime>
<AppContextSwitchOverrides value="Switch.System.Net.DontEnableSystemDefaultTlsVersions=false"/>
</runtime>

For .NET Framework 4.5 to 4.5.2 the registry keys SchUseStrongCrypto and SystemDefaultTlsVersions will need to be set.

HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\<VERSION>: SchUseStrongCrypto

The SchUseStrongCrypto registry key has a value of type DWORD. A value of 1 causes your app to use strong cryptography and a value of 0 disables strong cryptography. The strong cryptography uses more secure network protocols (TLS 1.2, TLS 1.1, and TLS 1.0) and blocks protocols that are not secure. For .NET Framework 4.5.2 or earlier versions, the key defaults to 0. In that case, you should explicitly set its value to 1.

HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\<VERSION>: SystemDefaultTlsVersions

The SystemDefaultTlsVersions registry key has a value of type DWORD. A value of 1 causes your app to allow the operating system to choose the protocol. A value of 0 causes your app to use protocols picked by the .NET Framework.

If the application targets .NET Framework 4.6.1 or earlier versions, the key defaults to 0. In that case, you should explicitly set its value to 1.

Example for 32-bit applications that are running on 32-bit OSs and for 64-bit applications that are running on 64-bit OSs, update the following subkey values:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001

For 32-bit applications that are running on 64-bit OSs, update the following subkey values:

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions" = dword:00000001
"SchUseStrongCrypto" = dword:00000001

Protract answered 9/10, 2020 at 18:5 Comment(5)

Does this go in the .csproj in a propertygroup section? – Subvention 8/12, 2020 at 7:12

no this would go in the app.config of the compiled app. – Protract 8/12, 2020 at 12:37

I believe this answer is underrated. – Striper 25/5, 2021 at 20:0

Note this is only supported in .NET Framework 4.6+ – Crepe 24/9, 2021 at 17:26

Verified that this method worked. In my case, I was trying to run Office Web Apps 2013 (built in .net 4.5 era) on a Win 2012 R2 server. The service was trying to connect to a Win 2019 server to retrieve the the file to render (via WOPI) and was working fine until I disabled < TLS 1.2 protocols. Enabling the SchUseStrongCrypto & SystemDefaultTlsVersions worked for me. – Carlinecarling 15/2, 2022 at 7:29

I was searching for this answer too, since we have an ASP.NET MVC 4.5.x app running in production.

I think there's an updated answer to this in the official Microsoft docs.

See the following for full details: https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls

It looks like you only need to update the values in the Registry.

They recommend that you do not make code changes to handle the difference.
Only if you're running .NET Framework 3.5 do you need to explicitly set a flag value.

Cultus answered 7/4, 2022 at 15:19 Comment(0)

If you are using this module just for API calls, please use the following component to generate HttpClient and your code will work just fine.

public static HttpClient CreateHttpClientWithTls12()
{
    // Create an instance of HttpClientHandler
    var handler = new HttpClientHandler();

    // Set the TLS version to 1.2
    handler.SslProtocols = System.Security.Authentication.SslProtocols.Tls12;

    // Allow all certificates (you might want to implement proper certificate validation in a production environment)
    handler.ServerCertificateCustomValidationCallback = (sender, cert, chain, sslPolicyErrors) => true;

    // Create an instance of HttpClient with the custom handler
    var httpClient = new HttpClient(handler);

    return httpClient;
}

Note: I have tested this with .NET Framework 4.7 & 4.8, but I assume it should work for all versions.

Sap answered 9/1 at 8:0 Comment(0)

Recommended topics

Hot tags