![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 95%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
.NET
Microsoft Technologies based on the .NET software framework.
3,395 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 32%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
You can and should disable the weak ciphers. WCF can use SSL if you have configured it to listen on HTTPS. In this case the client and server negotiate on the cipher to use. The client sends what it supports and the server compares that to what is enabled and then uses the "best" one. Disabling the weak ciphers on the server prevents a client from using a weak cipher that could be easily broken. There is a chance that a client that doesn't have any strong ciphers enabled will break but honestly this is a security issue that needs to be resolved anyway. It is unlikely you will run into issues because the ciphers have been around a long time so disabling the weaker one's should be harmless. If you have public facing clients then send out a notification about the change(s) and give them some time to ensure they are compliant before turning it off.
The protocol should also be disabled. In fact only TLS 1.2 is recommended. However this is a bigger change. Firstly you need to ensure you're running on a newer .NET Framework as TLS 1.2 isn't supported on older ones. If you can recompile your WCF service then you are done otherwise you need to make a change to the machine settings to allow TLS 1.2 on older code that you cannot recompile. Once that is done then you can confirm that your WCF service supports both the older and newer protocols. This is documented here.
Once you support TLS 1.2 in your service you should notify your clients that you are disabling everything besides TLS 1.2. All clients must ensure they are compatible with this protocol. Because clients can vary what is involved depends on the client software. Irrelevant this has been the recommendation for several years now so most everyone should be updated. Most online sites switch to TLS 1.2 only a while back so this is definitely something you should prioritize.
Note that changing SSL settings requires a server reboot so you will need to schedule some downtime for the changes.