Why ServicePointManager.SecurityProtocol default v

2020-06-09 01:14发布

站内问答 / C#
469 2 5

Currently I have an issue and can't find strict answer on it.

I have ASP.NET MVC 5 application targeting 4.6.1 framework and its goal is to work with third party API's that are secured by TLS 1.1/TLS 1.2 protocols.

I have tried to run my application on 2 environments:

  • my local machine Windows 10 with .NET 4.6.2 Framework, IIS Express;
  • server machine Windows Server 2012 with .NET 4.6.1, IIS 8.0;

The issue is in that when I start it locally ServicePointManager.SecurityProtocol default value is set to Ssl3, Tls, so I can't target API's and have to code it on application start to use TLS 1.1/TLS 1.2: ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12.

When application runs on server default value ServicePointManager.SecurityProtocol is set to Tls, Tls11, Tls12, so it works well.

According to documentation applications run on .NET Framework 4.6 or above versions have to use TLS 1.1/TLS 1.2 by default, how it is on remote machine.

Why the default values of ServicePointManager.SecurityProtocol are different? Is it because .NET Framework configuration? Or maybe registry settings? I have searched through it but couldn't find an answer.

2条回答
做个烂人
2楼-- · 2020-06-09 01:47

We can update registry like below to let .Net framework use TLS1.1\TLS1.2, a restart is needed.

I've tried, and the value of ServicePointManager.SecurityProtocol in my machine changed from "Ssl3, Tls" to "Tls, Tls11, Tls12":

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
查看更多
0人赞 添加讨论(0) 举报
We Are One
3楼-- · 2020-06-09 01:48

MSDN: ServicePointManager.SecurityProtocol Property:

Note that no default value is listed for this property, on purpose. The security landscape changes constantly, and default protocols and protection levels are changed over time in order to avoid known weaknesses. Defaults will vary depending on individual machine configuration, and on which software is installed, and on which patches have been applied.

MSDN Blogs: Support for SSL/TLS protocols on Windows:

On Windows the support for SSL/TLS protocols is tied to the SCHANNEL component. So, if a specific OS version doesn’t support a SSL/TLS version, this means it remains unsupported.

MSDN: Cipher Suites in TLS/SSL (Schannel SSP)

Different Windows versions support different TLS cipher suites and priority order. See the corresponding Windows version for the default order in which they are chosen by the Microsoft Schannel Provider.

In other words: this is determined by your Windows version and its patch level.

But like @Damien said, why would you bother what the default level is?

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)