问题描述

与支持 TLS 1.2 的服务器通信的默认安全协议是什么？默认情况下将 .NET 选择服务器端支持的最高安全协议，还是我必须明确添加以下代码行：

  System.Net.ServicePointManager.SecurityProtocol = 
 SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12; 
  

除了代码更改外，还有其他方法可以更改此默认设置吗？

最后， .NET 4.0 是否最多仅支持 TLS 1.0 ？即我必须将客户端项目升级到4.5，以支持 TLS 1.2 。

我的动机是取消对 SSLv3 （我已经有一个powershell脚本在计算机注册表中禁用它）并支持服务器支持的最高TLS协议。 / p>

更新：
查看<$ c $中的 ServicePointManager 类c> .NET 4.0 我没有看到 TLS 1.0 和 1.1 的枚举值。在两个 .NET 4.0 / 4.5 中，默认值为 SecurityProtocolType.Tls | SecurityProtocolType.Ssl3 。希望此默认设置不会通过在注册表中禁用 SSLv3 来打破。

但是，我已经确定将所有应用程序升级到 .NET 4.5 并显式添加 SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12; 还是所有应用程序的所有引导代码。

这将向各种api和服务发出出站请求，而不会降级为 SSLv3 ，并应选择最高级别的 TLS 。

这种方法听起来合理还是过度？我有许多应用程序需要更新，我想对它们进行将来的验证，因为我听说 TLS 1.0 在不久的将来可能会被某些提供商弃用。

作为客户端向API发出出站请求，在注册表中禁用SSL3甚至对.NET框架也有影响吗？我看到默认情况下未启用TLS 1.1和1.2，我们是否必须通过注册表启用它？ RE 。

经过一番调查，我认为注册表设置没有影响，因为它们适用于IIS（服务器子项）和浏览器（客户端子项）。

对不起，这篇文章变成了多个问题，后面跟着也许的答案。

一些发表评论的人指出，将 System.Net.ServicePointManager.SecurityProtocol 设置为特定值意味着您的应用程序将无法利用将来的TLS将来可能会在.NET更新中成为默认值的版本。您不必指定固定的协议列表，而可以打开或关闭您知道和关心的协议，而不必保留其他任何协议。

要打开TLS 1.1和1.2，而不会影响其他协议：

  System.Net.ServicePointManager.SecurityProtocol | = 
 SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12; 
  

请注意使用 | = 来转向

在不影响其他协议的情况下关闭SSL3：

  System.Net.ServicePointManager.SecurityProtocol& =〜SecurityProtocolType.Ssl3; 
  

What is the default security protocol for communicating with servers that support up to TLS 1.2? Will .NET by default, choose the highest security protocol supported on the server side or do I have to explicitly add this line of code:

System.Net.ServicePointManager.SecurityProtocol = 
SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

Is there a way to change this default, besides a code change?

Lastly, does .NET 4.0 only support up to TLS 1.0? i.e. I have to upgrade client projects to 4.5 to support TLS 1.2.

My motivation is to remove support for SSLv3 on the client side even if server supports it (I already have a powershell script to disable this in the machine registry) and to support the highest TLS protocol that the server supports.

Update:Looking at the ServicePointManager class in .NET 4.0 I see no enumerated values for TLS 1.0 and 1.1. In both .NET 4.0/4.5, the default is SecurityProtocolType.Tls|SecurityProtocolType.Ssl3. Hopefully this default won't break by disabling SSLv3 in the registry.

However, I've decided I have to upgrade all apps to .NET 4.5 and to explicitly add SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12; anyway to all bootstrapping code of all applications.

This will make outbound requests to various apis and services to not downgrade to SSLv3 and should select the highest level of TLS.

Does this approach sound reasonable or overkill? I have many applications to update, and I want to future proof them since I hear even TLS 1.0 may be deprecated in the near future by some providers.

As a client making outbound requests to APIs, does disabling SSL3 in the registry even have an effect in the .NET framework? I see by default, TLS 1.1 and 1.2 are not enabled, do we have to enable it via the registry? RE http://support.microsoft.com/kb/245030.

After a bit of investigation, I believe the registry settings will have no affect since they apply to IIS (server subkey) and browsers (client subkey).

Sorry this post turned into multiple questions, followed up with "maybe" answers.

Some of the those leaving comments have noted that setting System.Net.ServicePointManager.SecurityProtocol to specific values means that your app won't be able to take advantage of future TLS versions that may become the default values in future updates to .NET. Instead of specifying a fixed list of protocols, you can instead turn on or off protocols you know and care about, leaving any others as they are.

To turn on TLS 1.1 and 1.2 without affecting other protocols:

System.Net.ServicePointManager.SecurityProtocol |= 
    SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

Notice the use of |= to turn on these flags without turning others off.

To turn off SSL3 without affecting other protocols:

System.Net.ServicePointManager.SecurityProtocol &= ~SecurityProtocolType.Ssl3;

这篇关于.NET 4.5中的默认SecurityProtocol的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！