Mitigation: TLS Protocols

Starting with .NET Framework 4.6, the System.Net.ServicePointManager and System.Net.Security.SslStream classes are allowed to use one of the following three protocols: Tls1.0, Tls1.1, or Tls 1.2. The SSL3.0 protocol and RC4 cipher are not supported.

Impact

This change affects:

• Any app that uses SSL to talk to an HTTPS server or a socket server using any of the following types: HttpClient, HttpWebRequest, FtpWebRequest, SmtpClient, and SslStream.

• Any server-side app that cannot be upgraded to support Tls1.0, Tls1.1, or Tls 1.2..

Mitigation

The recommended mitigation is to upgrade the sever-side app to Tls1.0, Tls1.1, or Tls 1.2. If this is not feasible, or if client apps are broken, the AppContext class can be used to opt out of this feature in either of two ways:

• Programmatically, by using a code snippet like the following:

  const string DisableCachingName = @"TestSwitch.LocalAppContext.DisableCaching";
  const string DontEnableSchUseStrongCryptoName = @"Switch.System.Net.DontEnableSchUseStrongCrypto";
  AppContext.SetSwitch(DisableCachingName, true);
  AppContext.SetSwitch(DontEnableSchUseStrongCryptoName, true);
  

  Const DisableCachingName As String = "TestSwitch.LocalAppContext.DisableCaching"
  Const DontEnableSchUseStrongCryptoName As String = "Switch.System.Net.DontEnableSchUseStrongCrypto"
  AppContext.SetSwitch(DisableCachingName, True)
  AppContext.SetSwitch(DontEnableSchUseStrongCryptoName, True)
  

  Because the ServicePointManager object is initialized only once, defining these compatibility settings must be the first thing the application does.

• By adding the following line to the <runtime> section of your app.config file:

  <AppContextSwitchOverrides value="Switch.System.Net.DontEnableSchUseStrongCrypto=true"/>  
  

Note, however, that opting out of the default behavior is not recommended, since it makes the application less secure.

See also

• Application compatibility