Disable RC2 RC4 And SSL 2.0
https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protocols-in-schannel.dll
| Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] |
| Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128] |
|
Protocol |
KEA |
SYM (bit) |
HSH (bit) |
CipherSuite |
|
TLS1.0 |
RSAKeyX |
AES (128) |
SHA1 (160) |
TLS_RSA_WITH_AES_128_CBC_SHA |
|
SSL3.0 |
RSAKeyX |
RC4 (128) |
SHA1 (160) |
SSL_RSA_WITH_RC4_128_SHA |
|
SSL2.0 |
RSAKeyX |
RC4 (128) |
MD5 (128) |
SSL_CK_RC4_128_WITH_MD5 |
TLS 1.2 and Microsoft.Net
the web sites are served via TLS 1.2 protocol and client apps which are
consuming the same need to support TLS 1.2. .Net is running on top of
operating system and mostly its windows. If host windows supports TLS
1.2 .Net can also support TLS 1.2 as it relies on schannel.dll1
TLS 1.2 and .Net Framework 4.5
.Net is also versioned. Versions below 4.5*doesn't know how to
communicate via TLS 1.2.In .Net 4.5 the TLS 1.2 is enabled
by default.
Simply compile our applications in ,Net 4.5 and we will get TLS 1.2
communication for our applications.
How to make .Net 4.0 app talk using TLS 1.2
Technically speaking just recompile existing older application to .Net
4.5 to get TLS 1.2 support. It sounds simple as everybody expecting that
there are no breaking changes in .Net 4.5 and our application will
function as is. But if we are serious about delivering quality software
we also need to test entire app in 4.5 before shipping. It really adds
cost.
Lets see if there are any ways to use TLS 1.2 by .Net 4.0 apps.
System.dll overwrite
4.0. In other words the System.dll used for 4.0 apps will be overwritten
to 4.5 version of System.dll. So there are possibilities that .Net 4.0
apps will execute 4.5 code when they access functions in System.dll.
Which means if we have .Net 4.5 installed in the machine where our .Net
4.0 is running it can take advantage of TLS1.2. All our solutions below
are depending on this factor.
1.Code change in 4.0 to use TLS 1.2
Now its the matter of changing the default protocol used by 4.0 to TLS
1.2. This can be done by forcefully changing the protocol as below.
//SecurityProtocolType.Tls1.2;
ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
| SecurityProtocolType.Tls11
| SecurityProtocolType.Tls;
// comparable to modern browsers
var request = WebRequest.Create("https://www.howsmyssl.com/a/check");
var response = request.GetResponse();
var body = new StreamReader(response.GetResponseStream()).ReadToEnd();
If we look at the SecurityProtocolType enum for .Net 4.0, we will not be able to see the TLS1.2. But in 4.5 we can see that. So .Net 4.0 will not compile if we use TLS1.2 enum value. But if we use the TLS1.2 enum number it will compile and at runtime since the .Net 4.0's System.dll is replaced with 4.5 the cast will work.
Please note that this will fail if we are running the same app in a machine which don't have 4.5 installed. Recommended only for servers where its easy to manage the .Net version.
2.Registry change to force .Net 4.0 to use TLS 1.2
If we inspect the .Net 4.5 ServicePointManager source code we can see that the default protocol is depending on the below registry entry.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
SchUseStrongCrypto to DWORD 1
The default value will be 0. Simply change this to 1 to get .Net 4.5
System.dll use TLS 1.2. Since our 4.0 application uses 4.5 System.dll
4.0 gets TLS 1.2 support.
http://stackoverflow.com/questions/28286086/default-securityprotocol-in-net-4-5
References
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Client_.28Browser.29_Configuration
https://www.simple-talk.com/dotnet/.net-framework/tlsssl-and-.net-framework-4.0/
https://msdn.microsoft.com/en-us/library/system.security.authentication.sslprotocols(v=vs.110).aspx
https://istlsfastyet.com/
http://blogs.msdn.com/b/benjaminperkins/archive/2014/11/04/using-tls-1-2-with-wcf.aspx
http://blogs.msdn.com/b/benjaminperkins/archive/2011/10/07/secure-channel-compatibility-support-with-ssl-and-tls.aspx
http://www.dotnetnoob.com/2013/10/hardening-windows-server-20082012-and.html
TLS Cipher Suites in Windows 7
https://msdn.microsoft.com/en-us/library/windows/desktop/mt767780%28v=vs.85%29.aspx
TLS Cipher Suites in Windows 8
https://msdn.microsoft.com/en-us/library/windows/desktop/mt762882%28v=vs.85%29.aspx
TLS Cipher Suites in Windows 8.1
https://msdn.microsoft.com/en-us/library/windows/desktop/mt767781%28v=vs.85%29.aspx
TLS Cipher Suites in Windows 10 v1507
https://msdn.microsoft.com/en-us/library/windows/desktop/mt767769%28v=vs.85%29.aspx
TLS Cipher Suites in Windows 10 v1511
https://msdn.microsoft.com/en-us/library/windows/desktop/mt767768%28v=vs.85%29.aspx
TLS Cipher Suites in Windows 10 v1567
https://msdn.microsoft.com/en-us/library/windows/desktop/mt490158%28v=vs.85%29.aspx
Tools
for .net framework 4.5
