風險降低:TLS 通訊協定Mitigation: TLS Protocols

從 .NET Framework 4.6 開始,System.Net.ServicePointManagerSystem.Net.Security.SslStream 類別可以使用 Tls1.0、Tls1.1 或 Tls 1.2 這三種通訊協定之一。Starting with the .NET Framework 4.6, the System.Net.ServicePointManager and System.Net.Security.SslStream classes are allowed to use one of the following three protocols: Tls1.0, Tls1.1, or Tls 1.2. 不支援 SSL3.0 通訊協定與 RC4 編碼器。The SSL3.0 protocol and RC4 cipher are not supported.

影響Impact

這項變更會影響:This change affects:

降低Mitigation

建議的風險降低措施是將伺服器端應用程式升級至 Tls1.0、Tls1.1 或 Tls 1.2。The recommended mitigation is to upgrade the sever-side app to Tls1.0, Tls1.1, or Tls 1.2. 如果這並不可行,或是用戶端應用程式已中斷,則可使用 AppContext 類別搭配下列兩種方式之一,停用這項功能:If this is not feasible, or if client apps are broken, the AppContext class can be used to opt out of this feature in either of two ways:

  • 以程式設計方式,利用如下所示的程式碼片段:Programmatically, by using a code snippet like the following:

    const string DisableCachingName = @"TestSwitch.LocalAppContext.DisableCaching";
    const string DontEnableSchUseStrongCryptoName = @"Switch.System.Net.DontEnableSchUseStrongCrypto";
    AppContext.SetSwitch(DisableCachingName, true);
    AppContext.SetSwitch(DontEnableSchUseStrongCryptoName, true);
    
    Const DisableCachingName As String = "TestSwitch.LocalAppContext.DisableCaching"
    Const DontEnableSchUseStrongCryptoName As String = "Switch.System.Net.DontEnableSchUseStrongCrypto"
    AppContext.SetSwitch(DisableCachingName, True)
    AppContext.SetSwitch(DontEnableSchUseStrongCryptoName, True)
    

    因為 ServicePointManager 物件只能初始化一次,因此應用程式必須優先定義這些相容性設定。Because the ServicePointManager object is initialized only once, defining these compatibility settings must be the first thing the application does.

  • 在 app.config 檔案的區段中加入下列這一行 <runtime>By adding the following line to the <runtime> section of your app.config file:

    <AppContextSwitchOverrides value="Switch.System.Net.DontEnableSchUseStrongCrypto=true"/>  
    

但是請注意,我們並不建議您停用這項預設行為,因為這樣會讓應用程式較不安全。Note, however, that opting out of the default behavior is not recommended, since it makes the application less secure.

另請參閱See also