Updating Legacy ASP.NET Applications to support TLS 1.2
Richard Harris
DevOps, Online & Mobile at TD Bank Group #devops #agile #cloud #java #js #csharp
TLS
The Transport Layer Security (TLS) protocol is an industry standard designed to help protect the privacy of information communicated over the Internet. TLS 1.2 is a standard that provides security improvements over previous versions. TLS 1.2 will eventually be replaced by the newest released standard TLS 1.3 which is faster and has improved security.
Many large companies are still in the process of disabling the outdated SSL 3 and TLS 1.0 security protocols on their servers. Regulations in the Payment Card Industry (PCI) demand that by June 30th 2018 only TLS 1.1 and TLS 1.2 may be enabled. These changes might impact your code even if it is not under the scope of PCI compliance (i.e. some 3rd party APIs may no longer support TLS 1.0).
If your app targets .NET Framework 3.5
If you must explicitly set a security protocol instead of letting the .NET framework or the OS pick the security protocol, add SecurityProtocolTypeExtensions and SslProtocolsExtension enumerations to your code. SecurityProtocolTypeExtensions and SslProtocolsExtension include values for Tls12, Tls11, and the SystemDefault value. See "Support for TLS System Default Versions included in .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2" / "Solution" found below under "Primary References".
You may need to perform an update to your Windows Server by installing a Microsoft patch and modifying some system Registry keys. However, you may already have received a Windows update that superseeds these patches. Before updating Windows, first try to implement "Solution" / "Developer Guidance" (see bellow) to see if the Windows update is required.
Solution
If you must explicitly set a security protocol instead of letting the .NET framework or the OS pick the security protocol, add SecurityProtocolTypeExtensions and SslProtocolsExtension enumerations to your code. SecurityProtocolTypeExtensions and SslProtocolsExtension include values for Tls12, Tls11, and the SystemDefault value.
Windows may or may not need updating. The article provides Microsoft Download Center links. The patch you require may just just be a matter of having SecurityProtocolTypeExtensions.cs and SslProtocolsExtensions.cs placed in App_Code, and then updaing the code (i.e. Global.asax Application_Start) to have:
using System.Net; ... ServicePointManager.SecurityProtocol = SecurityProtocolTypeExtensions.Tls12;
SecurityProtocolTypeExtensions.cs
namespace System.Net
{
using System.Security.Authentication;
public static class SecurityProtocolTypeExtensions
{
public const SecurityProtocolType Tls12 = (SecurityProtocolType)SslProtocolsExtensions.Tls12;
public const SecurityProtocolType Tls11 = (SecurityProtocolType)SslProtocolsExtensions.Tls11;
public const SecurityProtocolType SystemDefault = (SecurityProtocolType)0;
}
}
SslProtocolsExtensions.cs
namespace System.Security.Authentication
{
public static class SslProtocolsExtensions
{
public const SslProtocols Tls12 = (SslProtocols)0x00000C00;
public const SslProtocols Tls11 = (SslProtocols)0x00000300;
}
}
References
Primary References (Microsoft Support):
- Support for TLS System Default Versions included in the .NET Framework 2.0 SP2 on Windows Vista SP2 and Server 2008 SP2
- Support for TLS System Default Versions included in the .NET Framework 3.5 on Windows Server 2012
- Support for TLS System Default Versions included in the .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2
Secondary References:
- Transport Layer Security (TLS) best practices with the .NET Framework | Microsoft Docs
- TLS 1.2 and .NET Support: How to Avoid Connection Errors
- c# - SecurityProtocolTypeExtensions.Tls12; does not exist in current context - Stack Overflow
- TLS 1.2 in .NET Framework 4.0
Tertiary References: