.NET Framework 的傳輸層安全性 (TLS) 最佳做法Transport Layer Security (TLS) best practices with the .NET Framework

傳輸層安全性 (TLS) 通訊協定為一項業界標準,其設計目的是用來協助保護透過網際網路所通訊之資訊的隱私權。The Transport Layer Security (TLS) protocol is an industry standard designed to help protect the privacy of information communicated over the Internet. TLS 1.2 (英文) 是可提供優於先前版本之安全性的標準。TLS 1.2 is a standard that provides security improvements over previous versions. TLS 1.2 最終將被最新發行的標準 TLS 1.3 取代,後者速度更快,安全性更高。TLS 1.2 will eventually be replaced by the newest released standard TLS 1.3 which is faster and has improved security. 本文提供保護使用 TLS 通訊協定之 .NET Framework 應用程式的建議。This article presents recommendations to secure .NET Framework applications that use the TLS protocol.

為了確保能維持 .NET Framework 應用程式的安全性,TLS 版本不應為硬式編碼。To ensure .NET Framework applications remain secure, the TLS version should not be hardcoded. .NET Framework 應用程式應使用作業系統 (OS) 所支援的 TLS 版本。.NET Framework applications should use the TLS version the operating system (OS) supports.

本文件適用於下列開發人員:This document targets developers who are:

建議您:We recommend that you:

  • 在應用程式上以 .NET Framework 4.7 或更新版本作為目標。Target .NET Framework 4.7 or later versions on your apps. 在 WCF 應用程式上以 .NET Framework 4.7.1 或更新版本作為目標。Target .NET Framework 4.7.1 or later versions on your WCF apps.
  • 不要指定 TLS 版本。Do not specify the TLS version. 設定程式碼以由 OS 決定 TLS 版本。Configure your code to let the OS decide on the TLS version.
  • 執行完整的程式碼稽核,以確認您沒有指定 TLS 或 SSL 版本。Perform a thorough code audit to verify you're not specifying a TLS or SSL version.

當應用程式讓 OS 選擇 TLS 版本時:When your app lets the OS choose the TLS version:

  • 它會自動運用於未來新增的新通訊協定,例如 TLS 1.3。It automatically takes advantage of new protocols added in the future, such as TLS 1.3.
  • OS 會封鎖被發現不安全的通訊協定。The OS blocks protocols that are discovered not to be secure.

對程式碼進行稽核並做出程式碼變更一節會涵蓋對程式碼進行稽核及更新的相關內容。The section Audit your code and make code changes covers auditing and updating your code.

本文說明如何針對應用程式所執行的.NET Framework 版本,啟用可供使用的最強安全性。This article explains how to enable the strongest security available for the version of the .NET Framework that your app targets and runs on. 當應用程式明確設定安全性通訊協定及版本時,它將會退出所有其他替代方案,並退出 .NET Framework 及 OS 預設行為。When an app explicitly sets a security protocol and version, it opts out of any other alternative, and opts out of .NET Framework and OS default behavior. 如果您想讓應用程式能夠交涉 TLS 1.2 連線,明確設定至較低的 TLS 版本將會防止 TLS 1.2 連線。If you want your app to be able to negotiate a TLS 1.2 connection, explicitly setting to a lower TLS version prevents a TLS 1.2 connection.

如果您無法避免採取通訊協定版本的硬式編碼,我們強烈建議您指定 TLS 1.2。If you can't avoid hardcoding a protocol version, we strongly recommend that you specify TLS 1.2. 如需識別和移除 TLS 1.0 相依性的指引,請下載 解決 tls 1.0 問題 的白皮書。For guidance on identifying and removing TLS 1.0 dependencies, download the Solving the TLS 1.0 Problem white paper.

在 .NET Framework 4.7 中,WCF 預設支援 TLS1.0、1.1 及 1.2。WCF Supports TLS1.0, 1.1 and 1.2 as the default in .NET Framework 4.7. 從 .NET Framework 4.7.1 開始,WCF 預設會使用作業系統所設定的版本。Starting with .NET Framework 4.7.1, WCF defaults to the operating system configured version. 如果有應用程式是搭配 SslProtocols.None 進行明確設定,WCF 在使用 NetTcp 傳輸時,便會使用作業系統的預設設定。If an application is explicitly configured with SslProtocols.None, WCF uses the operating system default setting when using the NetTcp transport.

您可以在 GitHub 問題 .NET Framework 的傳輸層安全性 (TLS) 最佳做法 (英文) 中,詢問與本文件相關的問題。You can ask questions about this document in the GitHub issue Transport Layer Security (TLS) best practices with the .NET Framework.

對程式碼進行稽核並做出程式碼變更Audit your code and make code changes

針對 ASP.NET 應用程式,請檢查 web.config<system.web><httpRuntime targetFramework> 元素,以確認您是使用正確的 .NET Framework 版本。For ASP.NET applications, inspect the <system.web><httpRuntime targetFramework> element of web.config to verify you're using the intended version of the .NET Framework.

針對 Windows Forms 及其他應用程式,請參閱如何:將 .NET Framework 的某個版本設定為目標For Windows Forms and other applications, see How to: Target a Version of the .NET Framework.

使用下列小節來確認您沒有使用特定的 TLS 或 SSL 版本。Use the following sections to verify you're not using a specific TLS or SSL version.

若應用程式是以 .NET Framework 4.7 或更新版本作為目標If your app targets .NET Framework 4.7 or later versions

下列小節會示範如何確認您沒有使用特定的 TLS 或 SSL 版本。The following sections show how to verify you're not using a specific TLS or SSL version.

針對 HTTP 網路功能For HTTP networking

ServicePointManager使用 .NET Framework 4.7 和更新版本時,會使用作業系統中設定的預設安全性通訊協定。ServicePointManager, using .NET Framework 4.7 and later versions, will use the default security protocol configured in the OS. 若要取得預設 OS 選擇,請不要設定屬性的值 ServicePointManager.SecurityProtocol ,預設值為 SecurityProtocolType.SystemDefaultTo get the default OS choice, if possible, don't set a value for the ServicePointManager.SecurityProtocol property, which defaults to SecurityProtocolType.SystemDefault.

因為此 SecurityProtocolType.SystemDefault 設定會使 ServicePointManager 使用作業系統所設定的預設安全性通訊協定,所以您的應用程式可能會根據其執行所在的作業系統而以不同的方式執行。Because the SecurityProtocolType.SystemDefault setting causes the ServicePointManager to use the default security protocol configured by the operating system, your application may run differently based on the OS it's run on. 例如,Windows 7 SP1 在 Windows 8 時使用 TLS 1.0,Windows 10 使用 TLS 1.2。For example, Windows 7 SP1 uses TLS 1.0 while Windows 8 and Windows 10 use TLS 1.2.

本文剩下的內容,與針對 HTTP 網路功能將 .NET Framework 4.7 或更新版本設為目標無關。The remainder of this article is not relevant when targeting .NET Framework 4.7 or later versions for HTTP networking.

針對 TCP 通訊端網路功能For TCP sockets networking

SslStream,在使用 .NET Framework 4.7 及更新版本的情況下,預設會讓 OS 選擇最佳的安全性通訊協定和版本。SslStream, using .NET Framework 4.7 and later versions, defaults to the OS choosing the best security protocol and version. 若要在可能的情況下取得最佳的預設 OS 選擇,請不要使用會採用明確 SslProtocols 參數之 SslStream 的方法多載。To get the default OS best choice, if possible, don't use the method overloads of SslStream that take an explicit SslProtocols parameter. 否則,請傳遞 SslProtocols.NoneOtherwise, pass SslProtocols.None. 建議您不要使用 Default;設定 SslProtocols.Default 會強制使用 SSL 3.0/TLS 1.0 並防止 TLS 1.2。We recommend that you don't use Default; setting SslProtocols.Default forces the use of SSL 3.0 /TLS 1.0 and prevents TLS 1.2.

不要為 SecurityProtocol 屬性 (針對 HTTP 網路功能) 設定值。Don't set a value for the SecurityProtocol property (for HTTP networking).

不要使用會採用明確 SslProtocols 參數 (針對 TCP 通訊端網路功能) 之 SslStream 的方法多載。Don't use the method overloads of SslStream that take an explicit SslProtocols parameter (for TCP sockets networking). 當您將應用程式目標重新設為 .NET Framework 4.7 或更新版本時,即是遵循最佳做法建議。When you retarget your app to .NET Framework 4.7 or later versions, you'll be following the best practices recommendation.

本主題剩下的內容,與針對 TCP 通訊端網路功能將 .NET Framework 4.7 或更新版本設為目標無關。The remainder of this topic is not relevant when targeting .NET Framework 4.7 or later versions for TCP sockets networking.

針對搭配憑證認證使用傳輸安全性的 WCF TCP 傳輸For WCF TCP transport using transport security with certificate credentials

WCF 會使用和其他 .NET Framework 相同的網路堆疊。WCF uses the same networking stack as the rest of the .NET Framework.

若您是以 4.7.1 為目標,WCF 預設便已設定為允許 OS 選擇最佳的安全性通訊協定,除非另外透過下列方式明確設定:If you are targeting 4.7.1, WCF is configured to allow the OS to choose the best security protocol by default unless explicitly configured:

  • 在您的應用程式組態檔中。In your application configuration file.
  • 在您應用程式的原始程式碼中。Or, in your application in the source code.

根據預設,.NET Framework 4.7 及更新版本已設定為使用 TLS 1.2,並允許使用 TLS 1.1 或 TLS 1.0 的連線。By default, .NET Framework 4.7 and later versions is configured to use TLS 1.2 and allows connections using TLS 1.1 or TLS 1.0. 特過設定繫結以使用 SslProtocols.None,來設定 WCF 以允許 OS 選擇最佳的安全性通訊協定。Configure WCF to allow the OS to choose the best security protocol by configuring your binding to use SslProtocols.None. 這可以在 SslProtocols 上設定。This can be set on SslProtocols. SslProtocols.None 可以從 Transport 存取。SslProtocols.None can be accessed from Transport. NetTcpSecurity.Transport 可以從 Security 存取。NetTcpSecurity.Transport can be accessed from Security.

若您是使用自訂繫結:If you're using a custom binding:

  • 特過設定 SslProtocols 以使用 SslProtocols.None,來設定 WCF 以允許 OS 選擇最佳的安全性通訊協定。Configure WCF to allow the OS to choose the best security protocol by setting SslProtocols to use SslProtocols.None.
  • 透過設定路徑 system.serviceModel/bindings/customBinding/binding/sslStreamSecurity:sslProtocols 來設定所使用的通訊協定。Or configure the protocol used with the configuration path system.serviceModel/bindings/customBinding/binding/sslStreamSecurity:sslProtocols.

若您沒有 使用自訂繫結,您是使用設定來設定 WCF 繫結,請透過設定路徑 system.serviceModel/bindings/netTcpBinding/binding/security/transport:sslProtocols 來設定所使用的通訊協定。If you're not using a custom binding and you're setting your WCF binding using configuration, set the protocol used with the configuration path system.serviceModel/bindings/netTcpBinding/binding/security/transport:sslProtocols.

針對具有憑證認證的 WCF 訊息安全性For WCF Message Security with certificate credentials

.NET Framework 4.7 及更新版本預設會使用於 SecurityProtocol 屬性中指定的通訊協定。.NET Framework 4.7 and later versions by default uses the protocol specified in the SecurityProtocol property. AppContextSwitch Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols 設定為 true 時,WCF 會選擇最佳的通訊協定 (最高版本為 TLS 1.0)。When the AppContextSwitch Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols is set to true, WCF chooses the best protocol, up to TLS 1.0.

若應用程式是以 .NET Framework 4.7 之前的版本為目標If your app targets a .NET Framework version earlier than 4.7

使用下列小節來對程式碼進行稽核,以確認您沒有使用特定的 TLS 或 SSL 版本:Audit your code to verify you're not setting a specific TLS or SSL version using the following sections:

針對 .NET Framework 4.6 - 4.6.2 且非 WCFFor .NET Framework 4.6 - 4.6.2 and not WCF

DontEnableSystemDefaultTlsVersions AppContext 參數設定為 falseSet the DontEnableSystemDefaultTlsVersions AppContext switch to false. 請參閱透過 AppContext 參數設定安全性See Configuring security via AppContext switches.

針對使用搭配憑證認證使用 TCP 傳輸安全性之 .NET Framework 4.6 至 4.6.2 的 WCFFor WCF using .NET Framework 4.6 - 4.6.2 using TCP transport security with Certificate Credentials

您必須安裝最新的 OS 修補程式。You must install the latest OS patches. 請參閱安全性更新See Security updates.

WCF 架構會自動選擇可用的最高版本通訊協定 (最高版本為 TLS 1.2),除非您明確設定通訊協定版本。The WCF framework automatically chooses the highest protocol available up to TLS 1.2 unless you explicitly configure a protocol version. 如需詳細資訊,請參閱先前的針對搭配憑證認證使用傳輸安全性的 WCF TCP 傳輸一節。For more information, see the preceding section For WCF TCP transport using transport security with certificate credentials.

針對 .NET Framework 3.5 至 4.5.2 且非 WCFFor .NET Framework 3.5 - 4.5.2 and not WCF

我們建議您將應用程式升級至 .NET Framework 4.7 或更新版本。We recommend you upgrade your app to .NET Framework 4.7 or later versions. 如果您無法升級,請採取下列步驟。If you cannot upgrade, take the following steps.

SchUseStrongCryptoSystemDefaultTlsVersions 登錄機碼設定為 1。Set the SchUseStrongCrypto and SystemDefaultTlsVersions registry keys to 1. 請參閱透過 Windows 登錄來設定安全性See Configuring security via the Windows Registry. .NET Framework 3.5 版只有在傳遞明確 TLS 值時,才會支援 SchUseStrongCrypto 旗標。The .NET Framework version 3.5 supports the SchUseStrongCrypto flag only when an explicit TLS value is passed.

若您是執行 .NET Framework 3.5,便需要安裝修補程式,使您的程式可以指定 TLS 1.2:If you are running on .NET Framework 3.5, you need to install a hot patch so that TLS 1.2 can be specified by your program:

KB3154518KB3154518 可靠性彙總套件 HR-1605 - 針對 TLS 系統預設版本的支援已包含在 Windows 7 SP1 和 Server 2008 R2 SP1 上的 .NET Framework 3.5.1 中Reliability Rollup HR-1605 - Support for TLS System Default Versions included in the .NET Framework 3.5.1 on Windows 7 SP1 and Server 2008 R2 SP1
KB3154519KB3154519 可靠性彙總套件 HR-1605 - 針對 TLS 系統預設版本的支援已包含在 Windows Server 2012 上的 .NET Framework 3.5 中Reliability Rollup HR-1605 - Support for TLS System Default Versions included in the .NET Framework 3.5 on Windows Server 2012
KB3154520KB3154520 可靠性彙總套件 HR-1605 - 針對 TLS 系統預設版本的支援已包含在 Windows 8.1 和 Windows Server 2012 R2 的 .NET Framework 3.5 中Reliability Rollup HR-1605 -Support for TLS System Default Versions included in the .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2
KB3156421KB3156421 適用於 Windows 上的 .NET Framework 4.5.2 和 4.5.1 的 1605 Hotfix 彙總套件 31545211605 Hotfix rollup 3154521 for the .NET Framework 4.5.2 and 4.5.1 on Windows

針對使用搭配憑證認證使用 TCP 傳輸安全性之 .NET Framework 3.5 至 4.5.2 的 WCFFor WCF using .NET Framework 3.5 - 4.5.2 using TCP transport security with Certificate Credentials

這些版本的 WCF 架構具有使用 SSL 3.0 和 TLS 1.0 值的硬式編碼。These versions of the WCF framework are hardcoded to use values SSL 3.0 and TLS 1.0. 這些值不能變更。These values cannot be changed. 您必須更新並將目標重新設定為 NET Framework 4.6 或更新版本,以使用 TLS 1.1 和 1.2。You must update and retarget to NET Framework 4.6 or later versions to use TLS 1.1 and 1.2.

若應用程式是以 .NET Framework 3.5 作為目標If your app targets .NET Framework 3.5

如果您必須明確設定安全性通訊協定,而不是讓 .NET 或 OS 選擇安全性通訊協定,請在 SecurityProtocolTypeExtensions 您的程式碼中加入和列舉 SslProtocolsExtensionIf you must explicitly set a security protocol instead of letting .NET or the OS pick the security protocol, add SecurityProtocolTypeExtensions and SslProtocolsExtension enumerations to your code. SecurityProtocolTypeExtensionsSslProtocolsExtension 包含適用於 Tls12Tls11 的值,以及 SystemDefault 值。SecurityProtocolTypeExtensions and SslProtocolsExtension include values for Tls12, Tls11, and the SystemDefault value. 如需詳細資訊,請參閱 Windows 8.1 和 Windows Server 2012 R2 上 .NET Framework 3.5 中包含的 TLS 系統預設版本支援For more information, see Support for TLS System Default Versions included in .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2.

透過 AppContext 參數設定安全性 (適用於 .NET Framework 4.6 或更新版本)Configuring security via AppContext switches (for .NET Framework 4.6 or later versions)

只有在您的應用程式是以 .NET Framework 4.6 或更新版本為目標 (或是在其上執行) 的情況下,才會與描述於本節的 AppContext 參數具關連性。The AppContext switches described in this section are relevant if your app targets, or runs on, .NET Framework 4.6 or later versions. 無論是根據預設設定,或是透過明確設定這些參數,它們在可能的情況下都應為 falseWhether by default, or by setting them explicitly, the switches should be false if possible. 若您想要透過其中一個或同時透過這兩個參數來設定安全性,請不要在程式碼中指定安全性通訊協定,因為這麼做將會覆寫這些參數。If you want to configure security via one or both switches, then don't specify a security protocol value in your code; doing so would override the switch(es).

無論您是執行 HTTP 網路功能 (ServicePointManager) 或 TCP 通訊端網路功能 (SslStream),這些參數都具有相同的效果。The switches have the same effect whether you're doing HTTP networking (ServicePointManager) or TCP sockets networking (SslStream).

Switch.System.Net.DontEnableSchUseStrongCryptoSwitch.System.Net.DontEnableSchUseStrongCrypto

Switch.System.Net.DontEnableSchUseStrongCrypto 設定為 false 值,會導致您的應用程式使用強式加密。A value of false for Switch.System.Net.DontEnableSchUseStrongCrypto causes your app to use strong cryptography. DontEnableSchUseStrongCrypto 設定為 false 值,會使用更安全的網路通訊協定 (TLS 1.2、TLS 1.1 及 TLS 1.0),並封鎖不安全的通訊協定。A value of false for DontEnableSchUseStrongCrypto uses more secure network protocols (TLS 1.2, TLS 1.1, and TLS 1.0) and blocks protocols that are not secure. 如需詳細資訊,請參閱 SCH_USE_STRONG_CRYPTO 旗標For more info, see The SCH_USE_STRONG_CRYPTO flag. 設定為 true 值會停用應用程式的強式加密。A value of true disables strong cryptography for your app.

若應用程式是以 .NET Framework 4.6 或更新版本作為目標,此參數預設會設定為 falseIf your app targets .NET Framework 4.6 or later versions, this switch defaults to false. 那是安全的預設值,也是我們建議的選項。That's a secure default, which we recommend. 若您的應用程式是在 .NET Framework 4.6 上執行,但是以較舊的版本為目標,此參數預設會設定為 trueIf your app runs on .NET Framework 4.6, but targets an earlier version, the switch defaults to true. 在此情況下,您應該明確地將它設定為 falseIn that case, you should explicitly set it to false.

若您需要連線至不支援強式加密且無法升級的舊版服務,則 DontEnableSchUseStrongCrypto 應該僅設定為 true 值。DontEnableSchUseStrongCrypto should only have a value of true if you need to connect to legacy services that don't support strong cryptography and can't be upgraded.

Switch.System.Net.DontEnableSystemDefaultTlsVersionsSwitch.System.Net.DontEnableSystemDefaultTlsVersions

Switch.System.Net.DontEnableSystemDefaultTlsVersions 設為 false 值,會導致您的應用程式允許作業系統選擇通訊協定。A value of false for Switch.System.Net.DontEnableSystemDefaultTlsVersions causes your app to allow the operating system to choose the protocol. 設定為 true 值會導致您的應用程式使用由 .NET Framework 所選取的通訊協定。A value of true causes your app to use protocols picked by the .NET Framework.

若應用程式是以 .NET Framework 4.7 或更新版本作為目標,此參數預設會設定為 falseIf your app targets .NET Framework 4.7 or later versions, this switch defaults to false. 這是建議的安全預設值。That's a secure default that we recommend. 若您的應用程式是在 .NET Framework 4.7 或更新版本上執行,但是以較舊的版本為目標,此參數預設會設定為 trueIf your app runs on .NET Framework 4.7 or later versions, but targets an earlier version, the switch defaults to true. 在此情況下,您應該明確地將它設定為 falseIn that case, you should explicitly set it to false.

Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocolsSwitch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols

Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols 設定為 false 值,會導致您的應用程式針對使用憑證認證的訊息安全性,使用定義於 ServicePointManager.SecurityProtocols 中的值。A value of false for Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols causes your application to use the value defined in ServicePointManager.SecurityProtocols for message security using certificate credentials. 設定為 true 值會使用可用的最高版本通訊協定 (最高版本為 TLS1.0)A value of true uses the highest protocol available, up to TLS1.0

針對以 .NET Framework 4.7 及更新版本為目標的應用程式,此值預設會設定為 falseFor applications targeting .NET Framework 4.7 and later versions, this value defaults to false. 針對以 .NET Framework 4.6.2 及較舊版本為目標的應用程式,此值預設會設定為 trueFor applications targeting .NET Framework 4.6.2 and earlier, this value defaults to true.

Switch.System.ServiceModel.DontEnableSystemDefaultTlsVersionsSwitch.System.ServiceModel.DontEnableSystemDefaultTlsVersions

Switch.System.ServiceModel.DontEnableSystemDefaultTlsVersions 設為 false 值,會設定預設設定以允許作業系統選擇通訊協定。A value of false for Switch.System.ServiceModel.DontEnableSystemDefaultTlsVersions sets the default configuration to allow the operating system to choose the protocol. 設定為 true 值會將預設值設定為可用的最高版本通訊協定 (最高版本為 TLS1.2)。A value of true sets the default to the highest protocol available, up to TLS1.2.

針對以 .NET Framework 4.7.1 及更新版本為目標的應用程式,此值預設會設定為 falseFor applications targeting .NET Framework 4.7.1 and later versions, this value defaults to false. 針對以 .NET Framework 4.7 及較舊版本為目標的應用程式,此值預設會設定為 trueFor applications targeting .NET Framework 4.7 and earlier, this value defaults to true.

如需 TLS 通訊協定的詳細資訊,請參閱風險降低:TLS 通訊協定For more information about TLS protocols, see Mitigation: TLS Protocols. 如需參數的詳細資訊 AppContext ,請參閱 <AppContextSwitchOverrides> ElementFor more information about AppContext switches, see <AppContextSwitchOverrides> Element.

透過 Windows 登錄來設定安全性Configuring security via the Windows Registry

警告

設定登錄機碼會影響系統上的所有應用程式。Setting registry keys affects all applications on the system. 只有當您具有機器的完整控制權,並且可以控制登錄上的變更時,才使用此選項。Use this option only if you are in full control of the machine and can control changes to the registry.

如果您無法設定其中一個 AppContext 參數 (或是兩個都無法設定),則可以透過本節中描述的 Windows 登錄機碼來控制應用程式所使用的安全性通訊協定。If setting one or both AppContext switches isn't an option, you can control the security protocols that your app uses with the Windows Registry keys described in this section. 如果您的應用程式是在 .NET Framework 4.5.2 版或更早版本上執行,或是無法編輯組態檔,便可能無法使用其中一個 AppContext 參數,或是兩個都無法使用。You might not be able to use one or both the AppContext switches if your app runs on .NET Framework 4.5.2 or earlier versions, or if you can't edit the configuration file. 若您想要透過登錄來設定安全性,請不要在程式碼中指定安全性通訊協定,因為這麼做將會覆寫這些登錄設定。If you want to configure security with the registry, don't specify a security protocol value in your code; doing so overrides the registry setting.

登錄機碼的名稱與相對應的 AppContext 參數類似,但名稱前方不會有 DontEnableThe names of the registry keys are similar to the names of the corresponding AppContext switches but without a DontEnable prepended to the name. 例如,AppContext 參數 DontEnableSchUseStrongCrypto 就是稱為 SchUseStrongCrypto 的登錄機碼。For example, the AppContext switch DontEnableSchUseStrongCrypto is the registry key called SchUseStrongCrypto.

這些機碼已透過近日的安全性修補程式,於所有 .NET Framework 版本中提供。These keys are available in all .NET Framework versions for which there's a recent security patch. 請參閱安全性更新See Security updates.

無論您是執行 HTTP 網路功能 (ServicePointManager) 或 TCP 通訊端網路功能 (SslStream),下列所描述的登錄機碼都具有相同的效果。All of the registry keys described below have the same effect whether you're doing HTTP networking (ServicePointManager) or TCP sockets networking (SslStream).

SchUseStrongCryptoSchUseStrongCrypto

HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\<VERSION>: SchUseStrongCrypto 登錄機碼具有 DWORD 類型的值。The HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\<VERSION>: SchUseStrongCrypto registry key has a value of type DWORD. 將值設為 1 會導致您的應用程式使用強式加密。A value of 1 causes your app to use strong cryptography. 強式加密會使用更安全的網路通訊協定 (TLS 1.2、TLS 1.1 及 TLS 1.0),並封鎖不安全的通訊協定。The strong cryptography uses more secure network protocols (TLS 1.2, TLS 1.1, and TLS 1.0) and blocks protocols that are not secure. 將值設為 0 會停用強式加密。A value of 0 disables strong cryptography. 如需詳細資訊,請參閱 SCH_USE_STRONG_CRYPTO 旗標For more information, see The SCH_USE_STRONG_CRYPTO flag.

若應用程式是以 .NET Framework 4.6 或更新版本作為目標,此機碼預設會設定為 1。If your app targets .NET Framework 4.6 or later versions, this key defaults to a value of 1. 這是建議的安全預設值。That's a secure default that we recommend. 如果您的應用程式是以 .NET Framework 4.5.2 或更舊版本為目標,則金鑰會預設為0。If your app targets .NET Framework 4.5.2 or earlier versions, the key defaults to 0. 在此情況下,您應該明確地將它的值設定為 1。In that case, you should explicitly set its value to 1.

若您需要連線至不支援強式加密且無法升級的舊版服務,則此機碼的值應該僅設定為 0。This key should only have a value of 0 if you need to connect to legacy services that don't support strong cryptography and can't be upgraded.

SystemDefaultTlsVersionsSystemDefaultTlsVersions

HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\<VERSION>: SystemDefaultTlsVersions 登錄機碼具有 DWORD 類型的值。The HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\<VERSION>: SystemDefaultTlsVersions registry key has a value of type DWORD. 將值設為 1 會導致您的應用程式允許作業系統選擇通訊協定。A value of 1 causes your app to allow the operating system to choose the protocol. 將值設為 0 會導致您的應用程式使用由 .NET Framework 所選取的通訊協定。A value of 0 causes your app to use protocols picked by the .NET Framework.

<VERSION> 必須是 v4.0.30319 (針對 .NET Framework 4 及更新版本) 或 v2.0.50727 (針對 .NET Framework 3.5)。<VERSION> must be v4.0.30319 (for .NET Framework 4 and above) or v2.0.50727 (for .NET Framework 3.5).

若應用程式是以 .NET Framework 4.7 或更新版本作為目標,此機碼預設會設定為 1。If your app targets .NET Framework 4.7 or later versions, this key defaults to a value of 1. 這是建議的安全預設值。That's a secure default that we recommend. 如果您的應用程式是以 .NET Framework 4.6.1 或更舊版本為目標,則金鑰會預設為0。If your app targets .NET Framework 4.6.1 or earlier versions, the key defaults to 0. 在此情況下,您應該明確地將它的值設定為 1。In that case, you should explicitly set its value to 1.

如需詳細資訊,請參閱 Windows 10 1511 版和 Windows Server 2016 Technical Preview 4 的累積更新:2016 年 5 月 10 日For more info, see Cumulative Update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: May 10, 2016.

如需 .NET Framework 3.5.1 的詳細資訊,請參閱 Windows 7 sp1 和 Server 2008 R2 SP1 .NET Framework 3.5.1 中包含的 TLS 系統預設版本支援For more information with .NET Framework 3.5.1, see Support for TLS System Default Versions included in .NET Framework 3.5.1 on Windows 7 SP1 and Server 2008 R2 SP1.

下列 .REG 檔案會將登錄機碼及其變體設定為最安全的值:The following .REG file sets the registry keys and their variants to their most safe values:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

在 Windows 登錄中設定安全通道通訊協定Configuring Schannel protocols in the Windows Registry

您可以使用登錄以對您用戶端和/或伺服器應用程式交涉的通訊協定進行細微的控制。You can use the registry for fine-grained control over the protocols that your client and/or server app negotiates. 您應用程式的網路功能會透過安全通道 (英文) 進行。Your app's networking goes through Schannel (which is another name for Secure Channel. 透過設定 Schannel,您便可以設定應用程式的行為。By configuring Schannel, you can configure your app's behavior.

請從 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols 登錄機碼開始。Start with the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols registry key. 在該機碼底下,您可以在 SSL 2.0SSL 3.0TLS 1.0TLS 1.1TLS 1.2 集合中建立任何子機碼。Under that key you can create any subkeys in the set SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2. 在那些子機碼底下,您可以建立子機碼 Client 和/或 ServerUnder each of those subkeys, you can create subkeys Client and/or Server. Client 和下 Server ,您可以建立 DWORD 值 DisabledByDefault (0 或 1) ,以及 Enabled (0 或 1) 。Under Client and Server, you can create DWORD values DisabledByDefault (0 or 1) and Enabled (0 or 1).

The SCH_USE_STRONG_CRYPTO 旗標The SCH_USE_STRONG_CRYPTO flag

啟用 SCH_USE_STRONG_CRYPTO 旗標時 (預設會由 AppContext 參數或 Windows 登錄啟用),.NET Framework 會在您的應用程式要求 TLS 安全性通訊協定時使用此旗標。When it's enabled (by default, by an AppContext switch, or by the Windows Registry), the .NET Framework uses the SCH_USE_STRONG_CRYPTO flag when your app requests a TLS security protocol. SCH_USE_STRONG_CRYPTO 旗標可以依預設啟用、搭配 AppContext 參數啟用,或是搭配登錄啟用。The SCH_USE_STRONG_CRYPTO flag can be enabled by default, with the AppContext switch, or with the Registry. OS 會將旗標傳遞至 Schannel,以指示它停用已知的弱式加密演算法、加密套件,以及 TLS/SSL 通訊協定版本;若不這樣做,系統可能會為了取得更佳的互通性而啟用這些項目。The OS passes the flag to Schannelto instruct it to disable known weak cryptographic algorithms, cipher suites, and TLS/SSL protocol versions that may be otherwise enabled for better interoperability. 如需詳細資訊,請參閱:For more information, see:

當您明確使用 SecurityProtocolTypeSslProtocolsTls (TLS 1.0)、Tls11Tls12 列舉值時,SCH_USE_STRONG_CRYPTO 旗標也會傳遞至 SchannelThe SCH_USE_STRONG_CRYPTO flag is also passed to Schannel when you explicitly use the Tls (TLS 1.0), Tls11, or Tls12 enumerated values of SecurityProtocolType or SslProtocols.

安全性更新Security updates

本文中的最佳做法取決於所安裝的最新安全性更新。The best practices in this article depend on recent security updates being installed. 這些更新包括使用進階 .NET Framework 4.7 和更新版本功能的能力。These updates include the ability to use advanced .NET Framework 4.7 and later features. 如果您的應用程式是在 .NET Framework 4.7 和更新版本上執行,則最新的安全性更新十分重要 (即使應用程式是以舊版為目標)。Recent security updates are important if your app runs on .NET Framework 4.7 and later versions (even if it targets an earlier version).

若要更新 .NET Framework 以允許作業系統選擇要使用的最佳 TLS 版本,您至少必須安裝:To update the .NET Framework to allow the operating system to choose the best version of TLS to use, you must install at least:

另請參閱:See also:

支援 TLS 1.2Support for TLS 1.2

若要讓您的應用程式交涉 TLS 1.2,作業系統和 .NET Framework 版本都需要支援 TLS 1.2。For your app to negotiate TLS 1.2, the OS and the .NET Framework version both need to support TLS 1.2.

用以支援 TLS 1.2 的作業系統需求Operating system requirements to support TLS 1.2

若要在支援 TLS 1.2 和/或 TLS 1.1 的系統上啟用或重新啟用它們,請參閱傳輸層安全性 (TLS) 登錄設定To enable or re-enable TLS 1.2 and/or TLS 1.1 on a system that supports them, see Transport Layer Security (TLS) registry settings.

作業系統OS TLS 1.2 支援TLS 1.2 support
Windows 10Windows 10
Windows Server 2016Windows Server 2016
支援,而且已預設為啟用。Supported, and enabled by default.
Windows 8.1Windows 8.1
Windows Server 2012 R2Windows Server 2012 R2
支援,而且已預設為啟用。Supported, and enabled by default.
Windows 8.0Windows 8.0
Windows Server 2012Windows Server 2012
支援,而且已預設為啟用。Supported, and enabled by default.
Windows 7 SP1Windows 7 SP1
Windows Server 2008 R2 SP1Windows Server 2008 R2 SP1
支援,但預設為不啟用。Supported, but not enabled by default. 如需如何啟用 TLS 1.2 的詳細資訊,請參閱傳輸層安全性 (TLS) 登錄設定網頁。See the Transport Layer Security (TLS) registry settings web page for details on how to enable TLS 1.2.
Windows Server 2008Windows Server 2008 支援 TLS 1.2 和 TLS 1.1 需要更新。Support for TLS 1.2 and TLS 1.1 requires an update. 請參閱在 Windows Server 2008 SP2 中加入 TLS 1.1 和 TLS 1.2 支援的更新See Update to add support for TLS 1.1 and TLS 1.2 in Windows Server 2008 SP2.
Windows VistaWindows Vista 不支援。Not supported.

如需每個 Windows 版本上所預設啟用 TLS/SSL 通訊協定的相關資訊,請參閱 TLS/SSL (Schannel SSP) 中的通訊協定 (英文)。For information about which TLS/SSL protocols are enabled by default on each version of Windows, see Protocols in TLS/SSL (Schannel SSP).

用以支援 TLS 1.2 與 .NET Framework 3.5 的需求Requirements to support TLS 1.2 with .NET Framework 3.5

此表格顯示使用 .NET Framework 3.5 支援 TLS 1.2 所需的作業系統更新。This table shows the OS update you'll need to support TLS 1.2 with .NET Framework 3.5. 建議您套用所有的作業系統更新。We recommend you apply all OS updates.

作業系統OS 使用 .NET Framework 3.5 支援 TLS 1.2 所需的最低更新Minimum update needed to support TLS 1.2 with .NET Framework 3.5
Windows 10Windows 10
Windows Server 2016Windows Server 2016
適用於 Windows 10 1511 版和 Windows Server 2016 Technical Preview 4 的累積更新:2016 年 5 月 10 日Cumulative Update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: May 10, 2016
Windows 8.1Windows 8.1
Windows Server 2012 R2Windows Server 2012 R2
支援 Windows 8.1 和 Windows Server 2012 R2 上 .NET Framework 3.5 所包含的 TLS 系統預設版本 (機器翻譯)Support for TLS System Default Versions included in the .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2
Windows 8.0Windows 8.0
Windows Server 2012Windows Server 2012
支援 Windows Server 2012 上 .NET Framework 3.5 所包含的 TLS 系統預設版本 (機器翻譯)Support for TLS System Default Versions included in the .NET Framework 3.5 on Windows Server 2012
Windows 7 SP1Windows 7 SP1
Windows Server 2008 R2 SP1Windows Server 2008 R2 SP1
支援 Windows 7 SP1 和 Server 2008 R2 SP1 上 .NET Framework 3.5.1 所包含的 TLS 系統預設版本 (機器翻譯)Support for TLS System Default Versions included in the .NET Framework 3.5.1 on Windows 7 SP1 and Server 2008 R2 SP1
Windows Server 2008Windows Server 2008 支援 Windows Vista SP2 和 Server 2008 SP2 上 .NET Framework 2.0 SP2 所包含的 TLS 系統預設版本 (機器翻譯)Support for TLS System Default Versions included in the .NET Framework 2.0 SP2 on Windows Vista SP2 and Server 2008 SP2
Windows VistaWindows Vista 不支援Not supported