問題:
What is the default security protocol for communicating with servers that support up to TLS 1.2 ?與最高支持TLS 1.2服務器通信的默認安全協議是什麼? Will .NET by default, choose the highest security protocol supported on the server side or do I have to explicitly add this line of code:默認情況下, .NET會選擇服務器端支持的最高安全協議還是我必須明確添加這行代碼:
System.Net.ServicePointManager.SecurityProtocol =
SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
Is there a way to change this default, besides a code change?除了代碼更改之外,有沒有辦法更改此默認值?
Lastly, does .NET 4.0 only support up to TLS 1.0 ?最後, .NET 4.0僅支持TLS 1.0嗎? ie I have to upgrade client projects to 4.5 to support TLS 1.2 .即我必須將客戶端項目升級到 4.5 以支持TLS 1.2 。
My motivation is to remove support for SSLv3 on the client side even if server supports it (I already have a powershell script to disable this in the machine registry) and to support the highest TLS protocol that the server supports.我的動機是在客戶端刪除對SSLv3支持,即使服務器支持它(我已經有一個 powershell 腳本在機器註冊表中禁用它)並支持服務器支持的最高 TLS 協議。
Update: Looking at the ServicePointManager class in .NET 4.0 I see no enumerated values for TLS 1.0 and 1.1 .更新:查看.NET 4.0中的ServicePointManager類,我看不到TLS 1.0和1.1枚舉值。 In both .NET 4.0/4.5 , the default is SecurityProtocolType.Tls|SecurityProtocolType.Ssl3 .在.NET 4.0/4.5 ,默認值爲SecurityProtocolType.Tls|SecurityProtocolType.Ssl3 。 Hopefully this default won't break by disabling SSLv3 in the registry.希望在註冊表中禁用SSLv3不會破壞此默認設置。
However, I've decided I have to upgrade all apps to .NET 4.5 and to explicitly add SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;但是,我決定必須將所有應用程序升級到.NET 4.5並明確添加SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12; SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12; anyway to all bootstrapping code of all applications.無論如何,所有應用程序的所有引導代碼。
This will make outbound requests to various apis and services to not downgrade to SSLv3 and should select the highest level of TLS .這將使對各種 apis 和服務的出站請求不降級到SSLv3並應選擇最高級別的TLS 。
Does this approach sound reasonable or overkill?這種方法聽起來合理還是矯枉過正? I have many applications to update, and I want to future proof them since I hear even TLS 1.0 may be deprecated in the near future by some providers.我有許多應用程序需要更新,我想在未來證明它們,因爲我聽說在不久的將來某些提供商可能會棄用TLS 1.0 。
As a client making outbound requests to APIs, does disabling SSL3 in the registry even have an effect in the .NET framework?作爲向 API 發出出站請求的客戶端,在註冊表中禁用 SSL3 是否對 .NET 框架也有影響? I see by default, TLS 1.1 and 1.2 are not enabled, do we have to enable it via the registry?我看到默認情況下,TLS 1.1 和 1.2 未啓用,我們是否必須通過註冊表啓用它? RE http://support.microsoft.com/kb/245030 . RE http://support.microsoft.com/kb/245030 。
After a bit of investigation, I believe the registry settings will have no affect since they apply to IIS (server subkey) and browsers (client subkey).經過一番調查,我相信註冊表設置不會有任何影響,因爲它們適用於 IIS(服務器子項)和瀏覽器(客戶端子項)。
Sorry this post turned into multiple questions, followed up with "maybe" answers.抱歉,這篇文章變成了多個問題,接着是“可能”的答案。
解決方案:
參考一: https://stackoom.com/question/1ugVC參考二: Default SecurityProtocol in .NET 4.5