问题:
What is the default security protocol for communicating with servers that support up to TLS 1.2 ?与最高支持TLS 1.2服务器通信的默认安全协议是什么? Will .NET by default, choose the highest security protocol supported on the server side or do I have to explicitly add this line of code:默认情况下, .NET会选择服务器端支持的最高安全协议还是我必须明确添加这行代码:
System.Net.ServicePointManager.SecurityProtocol =
SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
Is there a way to change this default, besides a code change?除了代码更改之外,有没有办法更改此默认值?
Lastly, does .NET 4.0 only support up to TLS 1.0 ?最后, .NET 4.0仅支持TLS 1.0吗? ie I have to upgrade client projects to 4.5 to support TLS 1.2 .即我必须将客户端项目升级到 4.5 以支持TLS 1.2 。
My motivation is to remove support for SSLv3 on the client side even if server supports it (I already have a powershell script to disable this in the machine registry) and to support the highest TLS protocol that the server supports.我的动机是在客户端删除对SSLv3支持,即使服务器支持它(我已经有一个 powershell 脚本在机器注册表中禁用它)并支持服务器支持的最高 TLS 协议。
Update: Looking at the ServicePointManager class in .NET 4.0 I see no enumerated values for TLS 1.0 and 1.1 .更新:查看.NET 4.0中的ServicePointManager类,我看不到TLS 1.0和1.1枚举值。 In both .NET 4.0/4.5 , the default is SecurityProtocolType.Tls|SecurityProtocolType.Ssl3 .在.NET 4.0/4.5 ,默认值为SecurityProtocolType.Tls|SecurityProtocolType.Ssl3 。 Hopefully this default won't break by disabling SSLv3 in the registry.希望在注册表中禁用SSLv3不会破坏此默认设置。
However, I've decided I have to upgrade all apps to .NET 4.5 and to explicitly add SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;但是,我决定必须将所有应用程序升级到.NET 4.5并明确添加SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12; SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12; anyway to all bootstrapping code of all applications.无论如何,所有应用程序的所有引导代码。
This will make outbound requests to various apis and services to not downgrade to SSLv3 and should select the highest level of TLS .这将使对各种 apis 和服务的出站请求不降级到SSLv3并应选择最高级别的TLS 。
Does this approach sound reasonable or overkill?这种方法听起来合理还是矫枉过正? I have many applications to update, and I want to future proof them since I hear even TLS 1.0 may be deprecated in the near future by some providers.我有许多应用程序需要更新,我想在未来证明它们,因为我听说在不久的将来某些提供商可能会弃用TLS 1.0 。
As a client making outbound requests to APIs, does disabling SSL3 in the registry even have an effect in the .NET framework?作为向 API 发出出站请求的客户端,在注册表中禁用 SSL3 是否对 .NET 框架也有影响? I see by default, TLS 1.1 and 1.2 are not enabled, do we have to enable it via the registry?我看到默认情况下,TLS 1.1 和 1.2 未启用,我们是否必须通过注册表启用它? RE http://support.microsoft.com/kb/245030 . RE http://support.microsoft.com/kb/245030 。
After a bit of investigation, I believe the registry settings will have no affect since they apply to IIS (server subkey) and browsers (client subkey).经过一番调查,我相信注册表设置不会有任何影响,因为它们适用于 IIS(服务器子项)和浏览器(客户端子项)。
Sorry this post turned into multiple questions, followed up with "maybe" answers.抱歉,这篇文章变成了多个问题,接着是“可能”的答案。
解决方案:
参考一: https://stackoom.com/question/1ugVC参考二: Default SecurityProtocol in .NET 4.5