question

olelar-6818 avatar image
0 Votes"
olelar-6818 asked JiayaoWuMSFT-8028 commented

Using TLS 1.1/1.2 in WCF with .Net Framework 3.5

Hello,

I am attempting to connect to a WCF service endpoint using TLS 1.1 or 1.2. TLS 1.0 works, but it will be disabled at some point in the future, and only TLS 1.1/1.2 will be allowed.

The client application is targeting .Net Framework 3.5. I have tried running it on Windows Server 2016, 2012 R2, and Windows 10, but have not been able to get it to use TLS 1.1/1.2 on any of them.

My understanding according to the two following articles is that it is possible to use TLS 1.1/1.2 with .Net Framework 3.5 as long as your system is up to date, and you either specify the TLS version in code, or you perform the mentioned registry edits:
1) https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls
2) https://support.microsoft.com/en-us/topic/support-for-tls-system-default-versions-included-in-the-net-framework-3-5-on-windows-8-1-and-windows-server-2012-r2-499ff5ef-a88a-128b-c639-ed038b7d2d5f

I have made the registry edits in article #2 linked above, as well as tried to specify the TLS version as mentioned in the "Developer guidance" section in article #2 (Tried all 3 options, 1.1, 1.2, and SystemDefault). I also have also tried to set:
1) the HKEY_LOCAL_MACHINE\SOFTWARE[Wow6432Node]Microsoft.NETFramework\<VERSION>: SchUseStrongCrypto
2) HKEY_LOCAL_MACHINE\SOFTWARE[Wow6432Node]Microsoft.NETFramework\<VERSION>: SystemDefaultTlsVersions

I am able to make TLS 1.1/1.2 connections to ssllabs.com test endpoints (https://www.ssllabs.com:10302 & https://www.ssllabs.com:10303) when using the WebRequest class, it is just WCF that does not work. WCF only seem to try SSL3 or TLS 1.0. I have enabled extra logging for Schannel in the event viewer by making a registry edit, which then displays the TLS version being used for the connection.

For WCF I am using SecurityMode.Message, MessageCredentialType.None, and wsHttpBinding.

There is a heading in article #1 (For WCF using .NET Framework 3.5 - 4.5.2 using TCP transport security with Certificate Credentials), that states TCP transport security with Certificate credentials must upgrade to 4.6 or later for TLS 1.1/1.2. Is this perhaps the case for message security too? (In a separate test app I have only gotten tls 1.1/1.2 to work if I target at least 4.7)

I understand that updating the target framework to 4.7 or higher will solve this, but if at all possible I need to get this working with .Net Framework 3.5.

Does anyone know if it is possible to use WCF targeting .Net Framework 3.5 with message security to use TLS 1.1 or 1.2?

Thank you

windows-wcf
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @olelar-6818 ,
As I know, .NET 3.5 or below. TLS 1.2 is not supported and there is no workaround. You should upgrade your application to more recent version of the framework.

0 Votes 0 ·
olelar-6818 avatar image olelar-6818 JiayaoWuMSFT-8028 ·

Thank you for your answer @JiayaoWuMSFT-8028,

To confirm, when you say that TLS 1.2 is not supported in .NET 3.5 Framework, that is just for WCF? I am able to make TLS 1.1/1.2 connections to ssllabs.com using the WebRequest class in an app that targets .NET Framework 3.5, it is just WCF that does not seem to work.

Thank you

0 Votes 0 ·

Hi @olelar-6818 ,
It seems that TLS 1.2 is supported in .NET 3.5,and Microsoft has released an update. But WCF is not supported to run, you are right.


1 Vote 1 ·

0 Answers