How to enable Tls version 1.3 for both wcf service and wcf client application

Question

Hi,

My wcf client and wcf service use .Net framework 4.8. They works for TLS version 1.2.

I would like to enable TLS version 1.3 for both wcf client and wcf service but I cannot.
I tried this for wcf service app.config
<bindings>
<customBinding>
<binding name="SecureBinding">
<!--security binding is required for certificate authentication to occur-->
<security authenticationMode="SecureConversation">
<secureConversationBootstrap authenticationMode="SspiNegotiated"/>
</security>
<sslStreamSecurity sslProtocols="Tls13"/>
<binaryMessageEncoding/>
<tcpTransport/>
</binding>
</customBinding>
</bindings>

And get this error:

System.Configuration.ConfigurationErrorsException: Unrecognized attribute 'sslProtocols'. Note that attribute names are case-sensitive. (test.dll.config line 37)
at System.Configuration.BaseConfigurationRecord.EvaluateOne(String[] keys, SectionInput input, Boolean isTrusted, FactoryRecord factoryRecord, SectionRecord sectionRecord, Object parentResult)
at System.Configuration.BaseConfigurationRecord.Evaluate(FactoryRecord factoryRecord, SectionRecord sectionRecord, Object parentResult, Boolean getLkg, Boolean getRuntimeObject, Object& result, Object& resultRuntimeObject)
at System.Configuration.BaseConfigurationRecord.GetSectionRecursive(String configKey, Boolean getLkg, Boolean checkPermission, Boolean getRuntimeObject, Boolean requestIsHere, Object& result, Object& resultRuntimeObject)
at System.Configuration.BaseConfigurationRecord.GetSectionRecursive(String configKey, Boolean getLkg, Boolean checkPermission, Boolean getRuntimeObject, Boolean requestIsHere, Object& result, Object& resultRuntimeObject)
at System.Configuration.BaseConfigurationRecord.GetSectionRecursive(String configKey, Boolean getLkg, Boolean checkPermission, Boolean getRuntimeObject, Boolean requestIsHere, Object& result, Object& resultRuntimeObject)
at System.Configuration.BaseConfigurationRecord.GetSection(String configKey)
at System.Configuration.ConfigurationManager.GetSection(String sectionName)
at System.ServiceModel.Activation.AspNetEnvironment.UnsafeGetSectionFromConfigurationManager(String sectionPath)
at System.ServiceModel.Configuration.ConfigurationHelpers.UnsafeGetAssociatedSection(ContextInformation evalContext, String sectionPath)
at System.ServiceModel.ServiceHostBase.ApplyConfiguration()
at System.ServiceModel.ServiceHostBase.InitializeDescription(UriSchemeKeyedCollection baseAddresses)
at System.ServiceModel.ServiceHost..ctor(Type serviceType, Uri[] baseAddresses)
at Microsoft.Tools.SvcHost.ServiceHostHelper.CreateServiceHost(Type type, ServiceKind kind)
at Microsoft.Tools.SvcHost.ServiceHostHelper.OpenService(ServiceInfo info)

Please advise.

Thanks.

Best Regards,

Answer 1

Hi @Nam Hoai Nguyen ,

As far as I know, Windows does not fully support TLS 1.3 yet. Some versions are supported, but you'll need to upgrade your Windows to the available version if you want to try it out.

If you need some documentation help, refer to Transport Layer Security (TLS) best practices with the .NET Framework or TLS 1.3 & OpenSSL 1.1.1 on Linux.

Best Regards,
Jiayao Wu

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi JiayaoWu-MSFT,

Thank you for your help.

I found this link https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- . It seems Windows Server 2022 and Windows 11.

I will try with Windows 11.

Thanks.

Best Regards,

Answer 3

Hi @Jiayao Wu-MSFT ,

I did not tested on Windows 11 but I tested on Windows server 2022 Standard Evaluation.

Wcf service can start with this Tls13 config:

<bindings>
<customBinding>
<binding name="SecureBinding" openTimeout="00:10:00"
closeTimeout="00:10:00"
sendTimeout="00:10:00"
receiveTimeout="00:20:00" maxReceivedMessageSize="10000000"
maxBufferSize="10000000"
maxBufferPoolSize="10000000">
<security authenticationMode="SecureConversation">
<secureConversationBootstrap authenticationMode="SspiNegotiated"/>
</security>
<sslStreamSecurity sslProtocols="Tls13"/>
<binaryMessageEncoding/>
<tcpTransport/>
</binding>
</customBinding>
</bindings>

When I run wcf client to connect this wcf service

    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls13;  
    var client = new WcfServiceClient();  
    client.Open();  

I get this error:

Exception thrown: 'System.ServiceModel.CommunicationException' in mscorlib.dll
An unhandled exception of type 'System.ServiceModel.CommunicationException' occurred in mscorlib.dll
The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:00:59.8759839'.

They still work with Tls12.

Please advise.

Thanks.

Best Regards,