与支持TLS 1.2的服务器通信的默认安全协议是什么?.NET默认情况下会选择服务器端支持的最高安全协议吗?或者我必须显式地添加这行代码:
System.Net.ServicePointManager.SecurityProtocol =
SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
除了代码更改之外,是否有方法更改此默认值?
最后,.NET 4.0是否只支持TLS 1.0?例如,我必须将客户端项目升级到4.5以支持TLS 1.2。
我的动机是在客户端删除对SSLv3的支持,即使服务器支持它(我已经有一个powershell脚本在机器注册表中禁用它),并支持服务器支持的最高TLS协议。
更新:
查看。net 4.0中的ServicePointManager类,我没有看到TLS 1.0和1.1的枚举值。在这两个。net 4.0/4.5中,默认为SecurityProtocolType.Tls|SecurityProtocolType.Ssl3。希望在注册表中禁用SSLv3不会破坏这个默认值。
然而,我决定将所有应用程序升级到。net 4.5,并显式地添加SecurityProtocolType。Tls |安全协议类型。Tls11 | SecurityProtocolType.Tls12;总之,所有应用程序的引导代码。
这将使对各种api和服务的出站请求不降级到SSLv3,并且应该选择最高级别的TLS。
这种方法听起来合理还是过份?我有很多应用程序要更新,我想在未来证明它们,因为我听说在不久的将来,一些提供商可能会弃用TLS 1.0。
作为一个向api发出出站请求的客户端,在注册表中禁用SSL3会对.NET框架产生影响吗?我看到默认情况下,TLS 1.1和1.2没有启用,我们必须通过注册表启用它吗?是http://support.microsoft.com/kb/245030。
经过一番研究,我相信注册表设置不会有任何影响,因为它们适用于IIS(服务器子密钥)和浏览器(客户端子密钥)。
对不起,这篇文章变成了多个问题,然后是“可能”的答案。
I'm running under .NET 4.5.2, and I wasn't happy with any of these answers. As I'm talking to a system which supports TLS 1.2, and seeing as SSL3, TLS 1.0, and TLS 1.1 are all broken and unsafe for use, I don't want to enable these protocols. Under .NET 4.5.2, the SSL3 and TLS 1.0 protocols are both enabled by default, which I can see in code by inspecting ServicePointManager.SecurityProtocol. Under .NET 4.7, there's the new SystemDefault protocol mode which explicitly hands over selection of the protocol to the OS, where I believe relying on registry or other system configuration settings would be appropriate. That doesn't seem to be supported under .NET 4.5.2 however. In the interests of writing forwards-compatible code, that will keep making the right decisions even when TLS 1.2 is inevitably broken in the future, or when I upgrade to .NET 4.7+ and hand over more responsibility for selecting an appropriate protocol to the OS, I adopted the following code:
SecurityProtocolType securityProtocols = ServicePointManager.SecurityProtocol;
if (securityProtocols.HasFlag(SecurityProtocolType.Ssl3) || securityProtocols.HasFlag(SecurityProtocolType.Tls) || securityProtocols.HasFlag(SecurityProtocolType.Tls11))
{
securityProtocols &= ~(SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls | SecurityProtocolType.Tls11);
if (securityProtocols == 0)
{
securityProtocols |= SecurityProtocolType.Tls12;
}
ServicePointManager.SecurityProtocol = securityProtocols;
}
This code will detect when a known insecure protocol is enabled, and in this case, we'll remove these insecure protocols. If no other explicit protocols remain, we'll then force enable TLS 1.2, as the only known secure protocol supported by .NET at this point in time. This code is forwards compatible, as it will take into consideration new protocol types it doesn't know about being added in the future, and it will also play nice with the new SystemDefault state in .NET 4.7, meaning I won't have to re-visit this code in the future. I'd strongly recommend adopting an approach like this, rather than hard-coding any particular security protocol states unconditionally, otherwise you'll have to recompile and replace your client with a new version in order to upgrade to a new security protocol when TLS 1.2 is inevitably broken, or more likely you'll have to leave the existing insecure protocols turned on for years on your server, making your organisation a target for attacks.
. net 4.0/4.5中默认的System.Net.ServicePointManager.SecurityProtocol是SecurityProtocolType.Tls|SecurityProtocolType.Ssl3。
.NET 4.0支持TLS 1.0, .NET 4.5支持TLS 1.2
然而,如果在相同的环境中安装了。net 4.5,针对. net 4.0的应用程序仍然可以支持TLS 1.2。
我通过观察fiddler4在流量中设置的正确安全协议,并在.NET 4.0项目中手动设置枚举值来验证这一点:
ServicePointManager.SecurityProtocol = (SecurityProtocolType)192 |
(SecurityProtocolType)768 | (SecurityProtocolType)3072;
参考:
namespace System.Net
{
[System.Flags]
public enum SecurityProtocolType
{
Ssl3 = 48,
Tls = 192,
Tls11 = 768,
Tls12 = 3072,
}
}
如果你试图在安装了。net 4.0的环境中进行黑客攻击,你会得到异常:
未处理异常:系统。NotSupportedException:请求的安全协议不支持。
在System.Net.ServicePointManager。set_SecurityProtocol (SecurityProtocolType v
价值)
然而,我不建议这个“黑客”,因为未来的补丁等可能会打破它
因此,我决定移除对SSLv3的支持的最佳途径是:
将所有应用程序升级到。net 4.5
在boostrapping代码中添加以下代码来覆盖默认值并在未来证明它:
System.Net.ServicePointManager.SecurityProtocol =
SecurityProtocolType。Tls |安全协议类型。Tls11 | SecurityProtocolType.Tls12;
*如果这个黑客是错误的,有人纠正我,但初步测试我看到它工作
微软最近发布了相关的最佳实践。https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls
总结
目标。net Framework 4.7,删除任何设置安全协议的代码,这样操作系统将确保您使用最安全的解决方案。
注意:您还需要确保您的操作系统支持并启用TLS的最新版本。
OS TLS 1.2 support
Windows 10 \_ Supported, and enabled by default.
Windows Server 2016 /
Windows 8.1 \_ Supported, and enabled by default.
Windows Server 2012 R2 /
Windows 8.0 \_ Supported, and enabled by default.
Windows Server 2012 /
Windows 7 SP1 \_ Supported, but not enabled by default*.
Windows Server 2008 R2 SP1 /
Windows Server 2008 - Support for TLS 1.2 and TLS 1.1 requires an update. See Update to add support for TLS 1.1 and TLS 1.2 in Windows Server 2008 SP2.
Windows Vista - Not supported.
* To enable TLS1.2 via the registry see https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#tls-12
Path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
Property: Enabled
Type: REG_DWORD
Value: 1
Property: DisabledByDefault
Type: REG_DWORD
Value: 0
Path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
Property: Enabled
Type: REG_DWORD
Value: 1
Property: DisabledByDefault
Type: REG_DWORD
Value: 0
有关更多信息和旧框架,请参考MS链接。
