{"id":567,"date":"2017-03-31T19:27:28","date_gmt":"2017-03-31T19:27:28","guid":{"rendered":"http:\/\/99c5e07b4d5de9d18c350cdf64c5aa3d"},"modified":"2017-09-21T15:48:22","modified_gmt":"2017-09-21T07:48:22","slug":"windows-7windows-2008-tls1-2-net","status":"publish","type":"post","link":"https:\/\/www.xiaobo.li\/notes\/archives\/567","title":{"rendered":"windows 7\/windows 2008\/ tls1.2 \/ .net"},"content":{"rendered":"<p><\/p>\n<h2 style=\"text-align:left;\">\nDisable RC2 RC4 And SSL 2.0<br \/>\n<\/h2>\n<p>\nhttps:\/\/support.microsoft.com\/en-us\/help\/245030\/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protocols-in-schannel.dll<\/p>\n<table style=\"width:96%;background-color:#dfc5a4;\" border=\"1\" bordercolor=\"#000000\" cellpadding=\"1\" cellspacing=\"0\">\n<tbody>\n<tr>\n<td>&nbsp;Windows Registry Editor Version 5.00<\/p>\n<p>[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols]<\/p>\n<p>[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 2.0]<\/p>\n<p>[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 2.0\\Client]<br \/>\n\"DisabledByDefault\"=dword:00000001<br \/>\n\"Enabled\"=dword:00000000<\/p>\n<p>[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 2.0\\Server]<br \/>\n\"Enabled\"=dword:00000000<br \/>\n\"DisabledByDefault\"=dword:00000001<\/p>\n<p>[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 3.0]<\/p>\n<p>[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 3.0\\Client]<br \/>\n\"Enabled\"=dword:00000000<br \/>\n\"DisabledByDefault\"=dword:00000001<\/p>\n<p>[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\SSL 3.0\\Server]<br \/>\n\"Enabled\"=dword:00000000<br \/>\n\"DisabledByDefault\"=dword:00000001<\/p>\n<p>[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.0]<\/p>\n<p>[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.0\\Client]<br \/>\n\"Enabled\"=dword:00000001<br \/>\n\"DisabledByDefault\"=dword:00000000<\/p>\n<p>[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.0\\Server]<br \/>\n\"Enabled\"=dword:00000001<br \/>\n\"DisabledByDefault\"=dword:00000000<\/p>\n<p>[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1]<\/p>\n<p>[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Client]<br \/>\n\"DisabledByDefault\"=dword:00000000<br \/>\n\"Enabled\"=dword:00000001<\/p>\n<p>[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Server]<br \/>\n\"DisabledByDefault\"=dword:00000000<br \/>\n\"Enabled\"=dword:00000001<\/p>\n<p>[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.2]<\/p>\n<p>[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.2\\Client]<br \/>\n\"DisabledByDefault\"=dword:00000000<br \/>\n\"Enabled\"=dword:00000001<\/p>\n<p>[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.2\\Server]<br \/>\n\"Enabled\"=dword:00000001<br \/>\n\"DisabledByDefault\"=dword:00000000<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/p>\n<table style=\"width:95%;background-color:#DFC5A4;\" border=\"1\" bordercolor=\"#000000\" cellpadding=\"1\" cellspacing=\"0\">\n<tbody>\n<tr>\n<td>&nbsp;Windows Registry Editor Version 5.00<\/p>\n<p>[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers]<\/p>\n<p>[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\RC4 128\/128]<br \/>\n\"Enabled\"=dword:00000000<\/p>\n<p>[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\RC4 64\/128]<br \/>\n\"Enabled\"=dword:00000000<\/p>\n<p>[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\RC4 56\/128]<br \/>\n\"Enabled\"=dword:00000000<\/p>\n<p>[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\RC4 40\/128]<br \/>\n\"Enabled\"=dword:00000000<\/p>\n<p>\n[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\RC2 128\/128]<br \/>\n\"Enabled\"=dword:00000000<\/p>\n<p>[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\RC2 56\/128]<br \/>\n\"Enabled\"=dword:00000000<\/p>\n<p>[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Ciphers\\RC2 40\/128]<br \/>\n\"Enabled\"=dword:00000000<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/p>\n<table style=\"width:95%;\" class=\"MsoTableGrid\" border=\"1\" cellpadding=\"1\" cellspacing=\"0\">\n<tbody>\n<tr>\n<td valign=\"top\">\n<p><b>Protocol <\/b><\/p>\n<\/td>\n<td valign=\"top\">\n<p><b>KEA <\/b><\/p>\n<\/td>\n<td valign=\"top\">\n<p><b>SYM (bit) <\/b><\/p>\n<\/td>\n<td valign=\"top\">\n<p><b>HSH (bit) <\/b><\/p>\n<\/td>\n<td valign=\"top\">\n<p><b>CipherSuite <\/b><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\">\n<p>TLS1.0 <\/p>\n<\/td>\n<td valign=\"top\">\n<p>RSAKeyX <\/p>\n<\/td>\n<td valign=\"top\">\n<p>AES (128) <\/p>\n<\/td>\n<td valign=\"top\">\n<p>SHA1 (160) <\/p>\n<\/td>\n<td valign=\"top\">\n<p>TLS_RSA_WITH_AES_128_CBC_SHA&nbsp;&nbsp;&nbsp;&nbsp; <\/p>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\">\n<p>SSL3.0 <\/p>\n<\/td>\n<td valign=\"top\">\n<p>RSAKeyX <\/p>\n<\/td>\n<td valign=\"top\">\n<p>RC4 (128) <\/p>\n<\/td>\n<td valign=\"top\">\n<p>SHA1 (160) <\/p>\n<\/td>\n<td valign=\"top\">\n<p>SSL_RSA_WITH_RC4_128_SHA <\/p>\n<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\">\n<p>SSL2.0 <\/p>\n<\/td>\n<td valign=\"top\">\n<p>RSAKeyX <\/p>\n<\/td>\n<td valign=\"top\">\n<p>RC4 (128) <\/p>\n<\/td>\n<td valign=\"top\">\n<p>MD5 (128) <\/p>\n<\/td>\n<td valign=\"top\">\n<p>SSL_CK_RC4_128_WITH_MD5 <\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2 style=\"text-align:left;\">\nTLS 1.2 and Microsoft.Net<br \/>\n<\/h2>\n<div>\nNow lets focus on using TLS 1.2 in .Net world. We need to make sure that<br \/>\n the web sites are served via TLS 1.2 protocol and client apps which are<br \/>\n consuming the same need to support TLS 1.2. .Net is running on top of<br \/>\noperating system and mostly its windows. If host windows supports TLS<br \/>\n1.2 .Net can also support TLS 1.2 as it relies on schannel.dll<sup>1<\/sup><\/div>\n<div>\n\n<\/div>\n<div>\nThe first task here is to make sure we are using the right tools and technologies.<\/div>\n<div>\n<div>\n<h2>\n<br \/>\nTLS 1.2 and .Net Framework 4.5<br \/>\n<\/h2>\n<\/div>\n<\/div>\n<div>\n<br \/>\n.Net is also versioned. Versions below 4.5*doesn't know how to<br \/>\ncommunicate via TLS 1.2.In .Net 4.5 the TLS 1.2 is enabled <br \/>\nby default.<br \/>\nSimply compile our applications in ,Net 4.5 and we will get TLS 1.2<br \/>\ncommunication for our applications.<\/div>\n<div>\n<h2 style=\"text-align:left;\">\n<br \/>\nHow to make .Net 4.0 app talk using TLS 1.2<br \/>\n<\/h2>\n<div>\n<br \/>\nTechnically speaking just recompile existing older application to .Net<br \/>\n4.5 to get TLS 1.2 support. It sounds simple as everybody expecting that<br \/>\n there are no breaking changes in .Net 4.5 and our application will<br \/>\nfunction as is. But if we are serious about delivering quality software<br \/>\nwe also need to test entire app in 4.5 before shipping. It really adds<br \/>\ncost.<\/p>\n<p>Lets see if there are any ways to use TLS 1.2 by .Net 4.0 apps.<\/p>\n<h3 style=\"text-align:left;\">\nSystem.dll overwrite<\/h3>\n<div>\nWhen we install .Net 4.5 its basically adding changes on top of .Net<br \/>\n4.0. In other words the System.dll used for 4.0 apps will be overwritten<br \/>\n to 4.5 version of System.dll. So there are possibilities that .Net 4.0<br \/>\napps will execute 4.5 code when they access functions in System.dll.<br \/>\nWhich means if we have .Net 4.5 installed in the machine where our .Net<br \/>\n4.0 is running it can take advantage of TLS1.2. All our solutions below<br \/>\nare depending on this factor.<\/div>\n<div>\n\n<\/div>\n<div>\nBelow links explains the .Net versioning and overwriting.<\/div>\n<div>\n<a href=\"http:\/\/blogs.msdn.com\/b\/rodneyviana\/archive\/2014\/12\/23\/identifying-the-net-version-you-are-running-2-0-4-5-4-5-1-or-4-5-2.aspx\">http:\/\/blogs.msdn.com\/b\/rodneyviana\/archive\/2014\/12\/23\/identifying-the-net-version-you-are-running-2-0-4-5-4-5-1-or-4-5-2.aspx<\/a><\/div>\n<div>\n<a href=\"https:\/\/weblog.west-wind.com\/posts\/2012\/Mar\/13\/NET-45-is-an-inplace-replacement-for-NET-40\">https:\/\/weblog.west-wind.com\/posts\/2012\/Mar\/13\/NET-45-is-an-inplace-replacement-for-NET-40<\/a><\/div>\n<h3 style=\"text-align:left;\">\n<br \/>\n1.Code change in 4.0 to use TLS 1.2<br \/>\n<\/h3>\n<p>\nNow its the matter of changing the default protocol used by 4.0 to TLS<br \/>\n1.2. This can be done by forcefully changing the &nbsp;protocol as below.<\/p>\n<pre style=\"background:white;font-family:Consolas;font-size:13px;\"><span style=\"color:green;\">\/\/SecurityProtocolType.Tls1.2;<\/span><\/pre>\n<p><span style=\"color:#2b91af;\">ServicePointManager<\/span>.SecurityProtocol&nbsp;=&nbsp;(<span style=\"color:#2b91af;\">SecurityProtocolType<\/span>)3072; <\/p>\n<pre style=\"background:white;font-family:Consolas;font-size:13px;\"><span style=\"color:green;\"> <\/span><\/pre>\n<p>System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 <br \/>\n| SecurityProtocolType.Tls11&nbsp; <br \/>\n| SecurityProtocolType.Tls; <\/p>\n<p>\/\/ comparable to modern browsers <br \/>\nvar request = WebRequest.Create(\"https:\/\/www.howsmyssl.com\/a\/check\");<br \/>\nvar response = request.GetResponse();&nbsp; <br \/>\nvar body = new StreamReader(response.GetResponseStream()).ReadToEnd(); <\/p>\n<p><span style=\"font-family:'Times New Roman';font-size:small;white-space:normal;\"><br \/>\nIf we look at the SecurityProtocolType enum for .Net 4.0, we will not be able to see the TLS1.2. But in 4.5 we can see that. So .Net 4.0 will not compile if we use TLS1.2 enum value. But if we use the TLS1.2 enum number it will compile and at runtime since the .Net 4.0's System.dll is replaced with 4.5 the cast will work.&nbsp;<\/span> <\/p>\n<pre style=\"background:white;font-family:Consolas;font-size:13px;\"><span style=\"font-family:'Times New Roman';font-size:small;white-space:normal;\"> <\/span><\/pre>\n<pre style=\"background:white;font-family:Consolas;font-size:13px;\"><span style=\"font-family:'Times New Roman';font-size:small;white-space:normal;\">Please note that this will fail if we are running the same app in a machine which don't have 4.5 installed. Recommended only for servers where its easy to manage the .Net version.<\/span><\/pre>\n<h3 style=\"text-align:left;\">\n<br \/>\n2.Registry change to force .Net 4.0 to use TLS 1.2<br \/>\n<\/h3>\n<p>\nIf we inspect the .Net 4.5&nbsp;<a href=\"http:\/\/referencesource.microsoft.com\/#System\/net\/System\/Net\/ServicePointManager.cs,3528c78e8b71ece2,references\">ServicePointManager source code<\/a> we can see that the default protocol is depending on the below registry entry.<\/p>\n<p><i>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319<br \/>\n&nbsp;&nbsp;&nbsp; SchUseStrongCrypto to DWORD 1<br \/>\n<\/i><\/p>\n<p>The default value will be 0. Simply change this to 1 to get .Net 4.5<br \/>\nSystem.dll use TLS 1.2. Since our 4.0 application uses 4.5 System.dll<br \/>\n4.0 gets TLS 1.2 support.<\/p>\n<p><a href=\"http:\/\/stackoverflow.com\/questions\/28286086\/default-securityprotocol-in-net-4-5\">http:\/\/stackoverflow.com\/questions\/28286086\/default-securityprotocol-in-net-4-5<\/a><\/div>\n<\/div>\n<h2 style=\"text-align:left;\">\n<br \/>\nReferences<br \/>\n<\/h2>\n<p>\nhttps:\/\/www.owasp.org\/index.php\/Transport_Layer_Protection_Cheat_Sheet#Client_.28Browser.29_Configuration<br \/>\nhttps:\/\/www.simple-talk.com\/dotnet\/.net-framework\/tlsssl-and-.net-framework-4.0\/<br \/>\nhttps:\/\/msdn.microsoft.com\/en-us\/library\/system.security.authentication.sslprotocols(v=vs.110).aspx<br \/>\nhttps:\/\/istlsfastyet.com\/<br \/>\nhttp:\/\/blogs.msdn.com\/b\/benjaminperkins\/archive\/2014\/11\/04\/using-tls-1-2-with-wcf.aspx<br \/>\nhttp:\/\/blogs.msdn.com\/b\/benjaminperkins\/archive\/2011\/10\/07\/secure-channel-compatibility-support-with-ssl-and-tls.aspx<br \/>\nhttp:\/\/www.dotnetnoob.com\/2013\/10\/hardening-windows-server-20082012-and.html<\/p>\n<p><b>TLS Cipher Suites in Windows 7<\/b><br \/>\nhttps:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/mt767780%28v=vs.85%29.aspx<br \/>\n<b>TLS Cipher Suites in Windows 8<\/b><br \/>\nhttps:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/mt762882%28v=vs.85%29.aspx<br \/>\n<b>TLS Cipher Suites in Windows 8.1<\/b><br \/>\nhttps:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/mt767781%28v=vs.85%29.aspx<br \/>\n<b>TLS Cipher Suites in Windows 10 v1507<\/b><br \/>\nhttps:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/mt767769%28v=vs.85%29.aspx<br \/>\n<b>TLS Cipher Suites in Windows 10 v1511<\/b><br \/>\nhttps:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/mt767768%28v=vs.85%29.aspx<br \/>\n<b>TLS Cipher Suites in Windows 10 v1567<\/b><br \/>\nhttps:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/mt490158%28v=vs.85%29.aspx<\/p>\n<h2 style=\"text-align:left;\">\nTools<br \/>\n<\/h2>\n<p>\nfor .net framework 4.5<br \/>\n<span class=\"attachment\"><a target=\"_blank\" href=\"\/notes\/content\/uploadfile\/201703\/62831490960428.zip\">SSLTLSCheck.zip<\/a><\/span><\/p>\n<p><a target=\"_blank\" href=\"\/notes\/content\/uploadfile\/201703\/07271490960437.png\" id=\"ematt:527\"><img decoding=\"async\" src=\"\/notes\/content\/uploadfile\/201703\/07271490960437.png\" alt=\"\u70b9\u51fb\u67e5\u770b\u539f\u56fe\" border=\"0\" \/><\/a><\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<h2 style=\"text-align:left;\">\nTLS 1.2 and Microsoft.Net<br \/>\n<\/h2>\n<div>\nNow lets focus on using TLS 1.2 in .Net world. We need to make sure that<br \/>\n the web sites are served via TLS 1.2 protocol and client apps which are<br \/>\n consuming the same need to support TLS 1.2. .Net is running on top of<br \/>\noperating system and mostly its windows. If host windows supports TLS<br \/>\n1.2 .Net can also support TLS 1.2 as it relies on schannel.dll<sup>1<\/sup><\/div>\n<div>\n<\/div>\n<div>\nThe first task here is to make sure we are using the right tools and technologies.<\/div>\n<div>\n<div>\n<h2>\nTLS 1.2 and .Net Framework 4.5<br \/>\n<\/h2>\n<\/div>\n<\/div>\n<div>\n.Net is also versioned. Versions below 4.5*doesn't know how to<br \/>\ncommunicate via TLS 1.2.In .Net...<\/div>\n<p> <a href=\"https:\/\/www.xiaobo.li\/notes\/archives\/567\">\u7ee7\u7eed\u9605\u8bfb <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[279],"tags":[],"class_list":["post-567","post","type-post","status-publish","format-standard","hentry","category-dotnet"],"_links":{"self":[{"href":"https:\/\/www.xiaobo.li\/notes\/wp-json\/wp\/v2\/posts\/567","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.xiaobo.li\/notes\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.xiaobo.li\/notes\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.xiaobo.li\/notes\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.xiaobo.li\/notes\/wp-json\/wp\/v2\/comments?post=567"}],"version-history":[{"count":0,"href":"https:\/\/www.xiaobo.li\/notes\/wp-json\/wp\/v2\/posts\/567\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.xiaobo.li\/notes\/wp-json\/wp\/v2\/media?parent=567"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.xiaobo.li\/notes\/wp-json\/wp\/v2\/categories?post=567"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.xiaobo.li\/notes\/wp-json\/wp\/v2\/tags?post=567"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}