風險降低:TLS 通訊協定Mitigation: TLS Protocols
從 .NET Framework 4.6 開始,System.Net.ServicePointManager 和 System.Net.Security.SslStream 類別可以使用 Tls1.0、Tls1.1 或 Tls 1.2 這三種通訊協定之一。Starting with the .NET Framework 4.6, the System.Net.ServicePointManager and System.Net.Security.SslStream classes are allowed to use one of the following three protocols: Tls1.0, Tls1.1, or Tls 1.2. 不支援 SSL3.0 通訊協定與 RC4 編碼器。The SSL3.0 protocol and RC4 cipher are not supported.
影響Impact
這項變更會影響:This change affects:
任何使用 SSL 與 HTTPS 伺服器通訊或與使用任何下列類型之通訊端伺服器通訊的應用程式:HttpClient、HttpWebRequest、FtpWebRequest、SmtpClient 和 SslStream。Any app that uses SSL to talk to an HTTPS server or a socket server using any of the following types: HttpClient, HttpWebRequest, FtpWebRequest, SmtpClient, and SslStream.
無法升級到支援 Tls1.0、Tls1.1 或 Tls 1.2 的任何伺服器端應用程式。Any server-side app that cannot be upgraded to support Tls1.0, Tls1.1, or Tls 1.2..
降低Mitigation
建議的風險降低措施是將伺服器端應用程式升級至 Tls1.0、Tls1.1 或 Tls 1.2。The recommended mitigation is to upgrade the sever-side app to Tls1.0, Tls1.1, or Tls 1.2. 如果這並不可行,或是用戶端應用程式已中斷,則可使用 AppContext 類別搭配下列兩種方式之一,停用這項功能:If this is not feasible, or if client apps are broken, the AppContext class can be used to opt out of this feature in either of two ways:
以程式設計方式,利用如下所示的程式碼片段:Programmatically, by using a code snippet like the following:
const string DisableCachingName = @"TestSwitch.LocalAppContext.DisableCaching"; const string DontEnableSchUseStrongCryptoName = @"Switch.System.Net.DontEnableSchUseStrongCrypto"; AppContext.SetSwitch(DisableCachingName, true); AppContext.SetSwitch(DontEnableSchUseStrongCryptoName, true);Const DisableCachingName As String = "TestSwitch.LocalAppContext.DisableCaching" Const DontEnableSchUseStrongCryptoName As String = "Switch.System.Net.DontEnableSchUseStrongCrypto" AppContext.SetSwitch(DisableCachingName, True) AppContext.SetSwitch(DontEnableSchUseStrongCryptoName, True)因為 ServicePointManager 物件只能初始化一次,因此應用程式必須優先定義這些相容性設定。Because the ServicePointManager object is initialized only once, defining these compatibility settings must be the first thing the application does.
在 app.config 檔案的區段中加入下列這一行 <runtime> :By adding the following line to the <runtime> section of your app.config file:
<AppContextSwitchOverrides value="Switch.System.Net.DontEnableSchUseStrongCrypto=true"/>
但是請注意,我們並不建議您停用這項預設行為,因為這樣會讓應用程式較不安全。Note, however, that opting out of the default behavior is not recommended, since it makes the application less secure.