Update .NET Applications to support TLS 1.2

The following article was adapted from Microsoft documentation and addresses how to enforce the TLS 1.2 protocol in .NET applications. See the original Microsoft article for more details:

https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls


The Transport Layer Security (TLS) protocol is an industry standard designed to help protect the privacy of information communicated over the Internet. TLS 1.2 is the newest released standard and provides security improvements over previous versions.

This article presents recommendations to secure .NET Framework applications that use the TLS protocol.

To ensure .NET Framework applications remain secure, the TLS version should not be hardcoded. .NET Framework applications should use the TLS version the operating system (OS) supports.


We recommend that you:

  • Target .NET Framework 4.7 or later versions on your apps. 
  • Do not specify the TLS version. Configure your code to let the OS decide on the TLS version.
  • Perform a thorough code audit to verify you're not specifying a TLS or SSL version.

When your app lets the OS choose the TLS version:

  • It automatically takes advantage of new protocols added in the future..
  • The OS blocks protocols that are discovered not to be secure.

Support for TLS 1.2

For your app to negotiate TLS 1.2, the OS and the .NET Framework version both need to support TLS 1.2.

Operating system requirements to support TLS 1.2

To enable or re-enable TLS 1.2 and/or TLS 1.1 on a system that supports them, see Transport Layer Security (TLS) registry settings.

OSTLS 1.2 support
Windows 10
Windows Server 2016
Supported, and enabled by default.
Windows 8.1
Windows Server 2012 R2
Supported, and enabled by default.
Windows 8.0
Windows Server 2012
Supported, and enabled by default.
Windows 7 SP1
Windows Server 2008 R2 SP1
Supported, but not enabled by default. See the Transport Layer Security (TLS) registry settings web page for details on how to enable TLS 1.2.
Windows Server 2008Support for TLS 1.2 and TLS 1.1 requires an update. See Update to add support for TLS 1.1 and TLS 1.2 in Windows Server 2008 SP2.
Windows VistaNot supported.

For information about which TLS/SSL protocols are enabled by default on each version of Windows, see Protocols in TLS/SSL (Schannel SSP).

Requirements to support TLS 1.2 with .NET Framework 3.5

This table shows the OS update you'll need to support TLS 1.2 with .NET Framework 3.5. We recommend you apply all OS updates.

Set the DontEnableSystemDefaultTlsVersions AppContext switch to false. Whether by default, or by setting them explicitly, the switches should be false if possible.

A value of false for Switch.System.Net.DontEnableSystemDefaultTlsVersions causes your app to allow the operating system to choose the protocol. A value of true causes your app to use protocols picked by the .NET Framework.

If your app targets .NET Framework 4.7 or later versions, this switch defaults to false. That's a secure default that we recommend. If your app runs on .NET Framework 4.7 or later versions, but targets an earlier version, the switch defaults to true. In that case, you should explicitly set it to false.

For .NET Framework 3.5 - 4.5.2

Set the SchUseStrongCrypto and SystemDefaultTlsVersions registry keys to 1. See Configuring security via the Windows Registry. The .NET Framework version 3.5 supports the SchUseStrongCrypto flag only when an explicit TLS value is passed.

For .NET Framework 3.5

The .NET framework version 3.5 SP1 and earlier versions did not provide support for applications to use Transport Layer Security (TLS) System Default Versions as a cryptographic protocol. This update enables the use of TLS v1.2 in the .NET Framework 3.5 SP1.

Download Download the x86-based package now.
Download Download the x64-based package now.

If you must explicitly set a security protocol instead of letting the .NET framework or the OS pick the security protocol, Add SecurityProtocolTypeExtensions and SslProtocolsExtensionenumerations to your code. SecurityProtocolTypeExtensions and SslProtocolsExtensioninclude values for Tls12, Tls11, and the SystemDefault value. See Support for TLS System Default Versions included in .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2.


SecurityProtocolTypeExtensions.cs
namespace System.Net
{
    using System.Security.Authentication;
    public static class SecurityProtocolTypeExtensions
    {
        public const SecurityProtocolType Tls12 = (SecurityProtocolType)SslProtocolsExtensions.Tls12;
        public const SecurityProtocolType Tls11 = (SecurityProtocolType)SslProtocolsExtensions.Tls11;
        public const SecurityProtocolType SystemDefault = (SecurityProtocolType)0;
    }
}
SslProtocolsExtensions.cs
namespace System.Security.Authentication
{
    public static class SslProtocolsExtensions
    {
        public const SslProtocols Tls12 = (SslProtocols)0x00000C00;
        public const SslProtocols Tls11 = (SslProtocols)0x00000300;
    }
}

SecurityProtocolTypeExtensions
namespace System.Net
{
    using System.Security.Authentication;
    public static class SecurityProtocolTypeExtensions
    {
        public const SecurityProtocolType Tls12 = (SecurityProtocolType)SslProtocolsExtensions.Tls12;
        public const SecurityProtocolType Tls11 = (SecurityProtocolType)SslProtocolsExtensions.Tls11;
        public const SecurityProtocolType SystemDefault = (SecurityProtocolType)0;
    }
}


So in your Application Start entry point (Like the Global.asax, MVC or OWin Startup class) you can add the following line to set TLS 1.2

Global.asax
protected void Application_Start(Object sender, EventArgs e)
{
	//The following line enables TLS 1.1 (in case other requests need to support TLS 1.1) and also TLS 1.2 for Quik! 
	ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12
}

How to test your TLS update

Following instructions on this page for testing your TLS update with the Quik! UAT environment.