windows 7/windows 2008/ tls1.2 / .net

Disable RC2 RC4 And SSL 2.0

https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protocols-in-schannel.dll

 Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

 Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000

Protocol

KEA

SYM (bit)

HSH (bit)

CipherSuite

TLS1.0

RSAKeyX

AES (128)

SHA1 (160)

TLS_RSA_WITH_AES_128_CBC_SHA    

SSL3.0

RSAKeyX

RC4 (128)

SHA1 (160)

SSL_RSA_WITH_RC4_128_SHA

SSL2.0

RSAKeyX

RC4 (128)

MD5 (128)

SSL_CK_RC4_128_WITH_MD5

TLS 1.2 and Microsoft.Net

Now lets focus on using TLS 1.2 in .Net world. We need to make sure that
the web sites are served via TLS 1.2 protocol and client apps which are
consuming the same need to support TLS 1.2. .Net is running on top of
operating system and mostly its windows. If host windows supports TLS
1.2 .Net can also support TLS 1.2 as it relies on schannel.dll1
The first task here is to make sure we are using the right tools and technologies.


TLS 1.2 and .Net Framework 4.5


.Net is also versioned. Versions below 4.5*doesn't know how to
communicate via TLS 1.2.In .Net 4.5 the TLS 1.2 is enabled
by default.
Simply compile our applications in ,Net 4.5 and we will get TLS 1.2
communication for our applications.


How to make .Net 4.0 app talk using TLS 1.2


Technically speaking just recompile existing older application to .Net
4.5 to get TLS 1.2 support. It sounds simple as everybody expecting that
there are no breaking changes in .Net 4.5 and our application will
function as is. But if we are serious about delivering quality software
we also need to test entire app in 4.5 before shipping. It really adds
cost.

Lets see if there are any ways to use TLS 1.2 by .Net 4.0 apps.

System.dll overwrite

When we install .Net 4.5 its basically adding changes on top of .Net
4.0. In other words the System.dll used for 4.0 apps will be overwritten
to 4.5 version of System.dll. So there are possibilities that .Net 4.0
apps will execute 4.5 code when they access functions in System.dll.
Which means if we have .Net 4.5 installed in the machine where our .Net
4.0 is running it can take advantage of TLS1.2. All our solutions below
are depending on this factor.
Below links explains the .Net versioning and overwriting.


1.Code change in 4.0 to use TLS 1.2

Now its the matter of changing the default protocol used by 4.0 to TLS
1.2. This can be done by forcefully changing the  protocol as below.

//SecurityProtocolType.Tls1.2;

ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;

 

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
| SecurityProtocolType.Tls11 
| SecurityProtocolType.Tls;

// comparable to modern browsers
var request = WebRequest.Create("https://www.howsmyssl.com/a/check");
var response = request.GetResponse(); 
var body = new StreamReader(response.GetResponseStream()).ReadToEnd();


If we look at the SecurityProtocolType enum for .Net 4.0, we will not be able to see the TLS1.2. But in 4.5 we can see that. So .Net 4.0 will not compile if we use TLS1.2 enum value. But if we use the TLS1.2 enum number it will compile and at runtime since the .Net 4.0's System.dll is replaced with 4.5 the cast will work. 

 
Please note that this will fail if we are running the same app in a machine which don't have 4.5 installed. Recommended only for servers where its easy to manage the .Net version.


2.Registry change to force .Net 4.0 to use TLS 1.2

If we inspect the .Net 4.5 ServicePointManager source code we can see that the default protocol is depending on the below registry entry.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
    SchUseStrongCrypto to DWORD 1

The default value will be 0. Simply change this to 1 to get .Net 4.5
System.dll use TLS 1.2. Since our 4.0 application uses 4.5 System.dll
4.0 gets TLS 1.2 support.

http://stackoverflow.com/questions/28286086/default-securityprotocol-in-net-4-5


References

https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Client_.28Browser.29_Configuration
https://www.simple-talk.com/dotnet/.net-framework/tlsssl-and-.net-framework-4.0/
https://msdn.microsoft.com/en-us/library/system.security.authentication.sslprotocols(v=vs.110).aspx
https://istlsfastyet.com/
http://blogs.msdn.com/b/benjaminperkins/archive/2014/11/04/using-tls-1-2-with-wcf.aspx
http://blogs.msdn.com/b/benjaminperkins/archive/2011/10/07/secure-channel-compatibility-support-with-ssl-and-tls.aspx
http://www.dotnetnoob.com/2013/10/hardening-windows-server-20082012-and.html

TLS Cipher Suites in Windows 7
https://msdn.microsoft.com/en-us/library/windows/desktop/mt767780%28v=vs.85%29.aspx
TLS Cipher Suites in Windows 8
https://msdn.microsoft.com/en-us/library/windows/desktop/mt762882%28v=vs.85%29.aspx
TLS Cipher Suites in Windows 8.1
https://msdn.microsoft.com/en-us/library/windows/desktop/mt767781%28v=vs.85%29.aspx
TLS Cipher Suites in Windows 10 v1507
https://msdn.microsoft.com/en-us/library/windows/desktop/mt767769%28v=vs.85%29.aspx
TLS Cipher Suites in Windows 10 v1511
https://msdn.microsoft.com/en-us/library/windows/desktop/mt767768%28v=vs.85%29.aspx
TLS Cipher Suites in Windows 10 v1567
https://msdn.microsoft.com/en-us/library/windows/desktop/mt490158%28v=vs.85%29.aspx

Tools

for .net framework 4.5
SSLTLSCheck.zip

点击查看原图

此条目发表在.net分类目录。将固定链接加入收藏夹。