SSL and Outdated TLS(1.0 and 1.1) for Web Service client application on .Net 3.5

c# .net ssl pci-compliance tls1.2

12,806

Solution 1

Any communication channel that currently uses SSL/early TLS or that is willing to accept them on negotiation and that is part of the cardholder data environment as a security control needs to be changed such that it will only use TLS 1.1 (with an approved cipher suite) or above.

You need to recompile under .Net 4.5 or greater (TLS 1.2 is not enabled by default so code changes are needed) or use a 3rd party library that supports the required protocols.

Note that if you know your system is using SSL/early TLS you must created a risk mitigation plan/document.

INFORMATION SUPPLEMENT Migrating from SSL and Early TLS

Solution 2

Actually, you can use TLS 1.2 in Frameworks lower than 4.5 (at least I managed it in .NET Framework 4 client). Instead of using the classic command in order to set the Protocol as Tls12, you can bypass it by using the id for this protocol.

  ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;

Solution 3

Microsoft have done the unthinkable and published patches for this

KB3154518 - Reliability Rollup HR-1605 - NDP 2.0 SP2 - Win7 SP1/Win 2008 R2 SP1
KB3154519 - Reliability Rollup HR-1605 - NDP 2.0 SP2 - Win8 RTM/Win 2012 RTM
KB3154520 - Reliability Rollup HR-1605 - NDP 2.0 SP2 - Win8.1RTM/Win 2012 R2 RTM
KB3156421 - 1605 HotFix Rollup through Windows Update for Windows 10.

12,806

Nirlep

Updated on September 23, 2022

Comments

Nirlep over 1 year

As per PCI, we need to stop using SSL and TLS(1.0 and 1.1 in certain implementation) from June 30th 2016 as per http://blog.securitymetrics.com/2015/04/pci-3-1-ssl-and-tls.html

We have an client application build on .Net 3.5 which uses HttpWebRequest object to connect to web services.

As per MSDN SecurityProtocolType(https://msdn.microsoft.com/en-us/library/system.net.securityprotocoltype(v=vs.110).aspx) supports only Ssl3 and Tls(1.0) on .Net Framework 4 or below. Tls11 and Tls12 are only supported in .Net Framework 4.5/4.6

Does that mean to be inside Cardholder data environment and fully pci compliant, we need to upgrade all applications to .Net 4.5/4.6 and allow only Tls12 SecurityProtocolType to connect to external web services using HttpWebRequest?
Nirlep almost 9 years

Is there any possibility for Microsoft to release a patch for .Net 2.0 and above to support TLS 1.2 for security? The reason is that most companies will not have resources planned to recompile all applications within cardholder data environment to .Net 4.5 by June 30th 2016.
Alex K. almost 9 years

Personally I hugely doubt it, their solution was to implement TLS 1.1+ in .Net 4.5.
Brian almost 7 years

This only works if the server has Framework 4.5 installed.
Brian almost 7 years

Recompiling with .Net 4.6 as a target does not require code changes, as .Net 4.6 enables TLS 1.2 by default. A recompile can be avoided entirely for most applications targeting .Net 3.5 or higher by modifying the registry (see instructions on technet.microsoft.com/en-us/library/security/… ). This changes default behavior. Applications which specify security protocol explicitly will still require a code change.
tzes almost 7 years

@Brian I had no problem running it on .NET Framework 4 client
Brian almost 7 years

It's possible that some of the hot-fixes included with Windows Update added support even without Framework 4.5 installed. Or Windows Update installed Framework 4.5 without you noticing.
Logar314159 over 6 years

this is the only change I have made, set SecurityProtocol = TLS11 then can connect and get response from the WebServices (Test enviroment). is this enough?