Share via


WCF/WS/TLS: Get .Net Framework 4.0 application use TLS1.2 as default protocol

Issue:
By default, .net application built on framework 4.0 will use SSL3.0 or TLS1.0 as default protocol.

Ask:
If we need to force it to use TLS1.2 protocol, review below workarounds.

Workaround 1:
Use below link just before Https call is attempted.
ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;

Workaround 2:
Migrate the existing application to supported framework 4.6.2. After migrating client app will be default use the TLS1.2 protocol.
However, I observed that it works well for console app but not for ASMX web service migration.

Error:
We might observe below error in S-Channel event logs:
Event Id: 36871
A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

Schannel error state 10013 = Cred_InitEnabledProtocolsFailed
Basically this means that the application requested a protocol that is not enabled (TLS 1.0). This seems to mean that the application can only use TLS 1.0. DOT NET has an out of the box hard set for lower crytpo.

From System.Net Traces
System.Net Information: 0 : [1828] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
DateTime=2017-06-15T20:33:31.4129394Z
System.Net Error: 0 : [1828] AcquireCredentialsHandle() failed with error 0X80090331.

Please review below steps to get web service (any .net app) use TLS 1.2 by default to make outbound calls.
https://blogs.msdn.microsoft.com/tdevere/2014/11/11/ssl-handshake-clienthello-receives-encrypted-alert/
https://technet.microsoft.com/en-us/library/mt791311(v=office.16).aspx

Set the registry key "SchUseStrongCrypto" to 1. Which will force .net application to avoid using SSL3.0 or TLS1.0 and it will always use TLS1.2

I hope this helps!

Thanks
Saurabh Somani