Edit

Share via


CA5397: Do not use deprecated SslProtocols values

Property Value
Rule ID CA5397
Title Do not use deprecated SslProtocols values
Category Security
Fix is breaking or non-breaking Non-breaking
Enabled by default in .NET 9 No

Cause

This rule fires when either of the following conditions are met:

Deprecated values are:

  • Ssl2
  • Ssl3
  • Tls
  • Tls10
  • Tls11

Rule description

Transport Layer Security (TLS) secures communication between computers, most commonly with Hypertext Transfer Protocol Secure (HTTPS). Older protocol versions of TLS are less secure than TLS 1.2 and TLS 1.3 and are more likely to have new vulnerabilities. Avoid older protocol versions to minimize risk. For guidance on identifying and removing deprecated protocol versions, see Solving the TLS 1.0 Problem, 2nd Edition.

How to fix violations

Don't use deprecated TLS protocol versions.

When to suppress warnings

You can suppress this warning if:

  • The reference to the deprecated protocol version isn't being used to enable a deprecated version.
  • You need to connect to a legacy service that can't be upgraded to use secure TLS configurations.

Suppress a warning

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

#pragma warning disable CA5397
// The code that's violating the rule is on this line.
#pragma warning restore CA5397

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

[*.{cs,vb}]
dotnet_diagnostic.CA5397.severity = none

For more information, see How to suppress code analysis warnings.

Pseudo-code examples

Enumeration name violation

using System;
using System.Security.Authentication;

public class ExampleClass
{
    public void ExampleMethod()
    {
        // CA5397 violation for using Tls11
        SslProtocols protocols = SslProtocols.Tls11 | SslProtocols.Tls12;
    }
}
Imports System
Imports System.Security.Authentication

Public Class TestClass
    Public Sub ExampleMethod()
        ' CA5397 violation for using Tls11
        Dim sslProtocols As SslProtocols = SslProtocols.Tls11 Or SslProtocols.Tls12
    End Sub
End Class

Integer value violation

using System;
using System.Security.Authentication;

public class ExampleClass
{
    public void ExampleMethod()
    {
        // CA5397 violation
        SslProtocols sslProtocols = (SslProtocols) 768;    // TLS 1.1
    }
}
Imports System
Imports System.Security.Authentication

Public Class TestClass
    Public Sub ExampleMethod()
        ' CA5397 violation
        Dim sslProtocols As SslProtocols = CType(768, SslProtocols)   ' TLS 1.1
    End Sub
End Class

Solution

using System;
using System.Security.Authentication;

public class TestClass
{
    public void Method()
    {
        // Let the operating system decide what TLS protocol version to use.
        // See https://learn.microsoft.com/dotnet/framework/network-programming/tls
        SslProtocols sslProtocols = SslProtocols.None;
    }
}
Imports System
Imports System.Security.Authentication

Public Class TestClass
    Public Sub ExampleMethod()
        ' Let the operating system decide what TLS protocol version to use.
        ' See https://learn.microsoft.com/dotnet/framework/network-programming/tls
        Dim sslProtocols As SslProtocols = SslProtocols.None
    End Sub
End Class

CA5364: Do not use deprecated security protocols

CA5386: Avoid hardcoding SecurityProtocolType value

CA5398: Avoid hardcoded SslProtocols values