2,783 questions
SslStream TLSv1.2 client instance in MMC snap-in without modifying Windows config: can it be done?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 99%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW6%3C/text%3E%3C/svg%3E)
WalterGoodwin-6869
1
Reputation point
We have a legacy MMC snap-in developed with the MMC Class Library. The snap-in assembly targets .NET Framework 4.7.
We have a requirement to create TLSv1.2-enabled SSL client connections from the snap-in. Using a freshly installed Windows 10.0.19042 (the current Hyper-V "quick create" Win10 dev image), the max TLS level of connections created by the snap-in is TLSv1.0. OTOH, a console or windows program assembly targeting .NETv4.7 running on the same machine (but not hosted by MMC) creates TLSv1.2 client requests perfectly.
We discovered two unsatisfactory ways to modify Windows which allow the snap-in to create TLSv1.2 connections:
- By modifying the registry.
- By modifying MMC's application configuration file (
mmc.exe.config), merging the following fragment:<runtime> <AppContextSwitchOverrides value="Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols=false;Switch.System.Net.DontEnableSchUseStrongCrypto=false;Switch.UseLegacyAccessibilityFeatures=false;Switch.UseLegacyAccessibilityFeatures.2=false;Switch.UseLegacyAccessibilityFeatures.3=false"/> </runtime>(what's the deal with the MD previewer, I hope the post looks better!)
Since both options may induce unforeseen side effects in other programs, they are not generally viable. Why doesn't this "just work", especially given that we have followed all the known "best practices"?:
-
SslStreamconnection initiation methods do not specify theSslProtocolsparameter. - The snap-in assembly targets .NET 4.7 as per documented guidance.
Useful code modifications have eluded us as well, such as explicitly specifying SslProtocols.Tls12 (this fails with ArgumentException).
This seems like a bug with the way mmc.exe is hosting the CLR.
Is there really no way to do this programmatically and in-proc? Must we force users to perform Windows hacks? If so can we at least assure them that the SChannel client always negotiates down from TLSv1.2 to TLSv1.0 in the legacy cases, so their other programs are "probably OK"?
Windows development | Windows API - Win32
Developer technologies | .NET | .NET Runtime
1,270 questions
Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2021-03-26T01:33:50.397+00:00 This question is not related with network, I will remove network related tag. Thank you!
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 28.999999999999996%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXZ%3C/text%3E%3C/svg%3E)
Xingyu Zhao-MSFT 5,381 Reputation points2021-03-26T08:08:26.21+00:00 Hi @WalterGoodwin-6869 ,
Not sure if you need to specify CLR 4.0 for it.
Besides, you can consider posting your question here for more help.
Sign in to comment
Sign in to answer