.Net Framework 4.6.1 not defaulting to TLS 1.2

.net ssl tls1.2 .net-4.6.1

Our client have recently upgrade the security protocol to TLS 1.2. Therefore We have our application upgraded to 4.6.1 expecting the security protocol will be default to TLS 1.2 but it is not. Any idea why?


I had a similar problem and this is what worked for me.

  1. open Powershell and check for supported protocols by using [Net.ServicePointManager]::SecurityProtocol

  2. Run the following 2 cmdlets to set .NET Framework strong cryptography registry keys:

    set strong cryptography on 64 bit .Net Framework (version 4 and above)

    Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord

    set strong cryptography on 32 bit .Net Framework (version 4 and above)

    Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord

  3. Restart Powershell and check again for supported protocol by using [Net.ServicePointManager]::SecurityProtocol

It should now display Tls12 as well.

Hope this helps


As others have mentioned there are a number of Windows Registry keys that must be set to enable TLS 1.2 in existing .NET applications without explicitly setting the protocol version in application code.

In order to make .NET 4.x code select the strongest available protocol by default (i.e. when a protocol is not explicitly specified in code), the following registry keys are needed:

On 32-bit and 64-bit versions of Windows: HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto: 0X00000001

On 64-bit versions of Windows: HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto: 0X00000001

The WOW6432Node value is needed to enable TLS 1.2 in 32-bit applications when run on 64-bit systems.

But here's the quick and easy solution: https://github.com/TheLevelUp/pos-tls-patcher

Update:

If you're targetting .NET 4.6 or 4.7 you'll be interested in Transport Layer Security (TLS) best practices with the .NET Framework.

Note that TLS Patcher linked above very much follows the Microsoft recommendation for existing .NET 4.0 and 4.5 apps that cannot target .NET 4.6 or higher.


The reason why the security protocol did not default to TLS 1.2 is because there is no default value for this in .NET Framework 4.6.1. Sorry if this is reiterating what's already been said but I wanted to elaborate and I don't have enough reputation to comment.

There is no default value in 4.6.2 either, however like one of the commenters mentioned above, a console application does seem to default to TLS 1.2. I tried the exact same code in a website project targeting 4.6.2 and it did NOT default to TLS 1.2.

4.7 and above does have a default value of SecurityProtocolType.SystemDefault.

"This allows .NET Framework networking APIs based on SslStream (such as FTP, HTTP, and SMTP) to inherit the default security protocols from the operating system or from any custom configurations performed by a system administrator"

https://docs.microsoft.com/en-us/dotnet/api/system.net.servicepointmanager.securityprotocol?view=netframework-4.7#System_Net_ServicePointManager_SecurityProtocol

Related

Overriding a module method from a gem in Rails
duplicate symbols for architecture i386 clang
Allow access permission to write in Program Files of Windows 7
How to remove cache in WKWebview?
Password strength checking library [closed]
Forwarding UIGesture to views behind
CSS rounded corners in IE8
Convert data frame with date column to timeseries
Change NavigationView items when user is logged
How do I duplicate item when using jquery sortable?
Async/Await - is it *concurrent*?
How do I copy a database from one MongoDB server to another?