.NET Framework 中的传输层安全性 (TLS) 最佳做法Transport Layer Security (TLS) best practices with the .NET Framework

传输层安全性 (TLS) 协议是一个行业标准,旨在帮助保护通过 Internet 所传输信息的私密性。The Transport Layer Security (TLS) protocol is an industry standard designed to help protect the privacy of information communicated over the Internet. TLS 1.2 标准与以前版本相比在安全性方面有了很多提升。TLS 1.2 is a standard that provides security improvements over previous versions. TLS 1.2 最终将被最新发布的标准 TLS 1.3 取代,后者速度更快,安全性更高。TLS 1.2 will eventually be replaced by the newest released standard TLS 1.3 which is faster and has improved security. 文本介绍了如何保护使用 TLS 协议的 .NET Framework 应用程序安全的建议。This article presents recommendations to secure .NET Framework applications that use the TLS protocol.

为确保 .NET Framework 应用程序的安全性,TLS 版本不应 被硬编码。To ensure .NET Framework applications remain secure, the TLS version should not be hardcoded. .NET Framework 应用程序应使用操作系统 (OS) 支持的 TLS 版本。.NET Framework applications should use the TLS version the operating system (OS) supports.

此文档面向以下开发人员:This document targets developers who are:

我们建议:We recommend that you:

  • 在你的应用上面向 NET Framework 4.7 或更高版本。Target .NET Framework 4.7 or later versions on your apps. 在你的 WCF 应用上面向 NET Framework 4.7.1 或更高版本。Target .NET Framework 4.7.1 or later versions on your WCF apps.
  • 不要指定 TLS 版本。Do not specify the TLS version. 配置你的代码,让操作系统来决定 TLS 版本。Configure your code to let the OS decide on the TLS version.
  • 执行全面的代码审核,以验证你未指定 TLS 或 SSL 版本。Perform a thorough code audit to verify you're not specifying a TLS or SSL version.

当你的应用让操作系统来选择 TLS 版本时:When your app lets the OS choose the TLS version:

  • 它将会自动利用以后添加的新协议(例如 TLS 1.3)。It automatically takes advantage of new protocols added in the future, such as TLS 1.3.
  • 操作系统将阻止发现不安全的协议。The OS blocks protocols that are discovered not to be secure.

审核代码并对代码进行更改这一部分介绍了如何审核和更新你的代码。The section Audit your code and make code changes covers auditing and updating your code.

本文阐释如何针对应用所面向并在其上运行的 .NET Framework 的版本启用可用的最强安全性。This article explains how to enable the strongest security available for the version of the .NET Framework that your app targets and runs on. 当应用显式设置安全协议和版本时,它将选择退出任何其他替代项,并选择退出 .NET Framework 和操作系统默认行为。When an app explicitly sets a security protocol and version, it opts out of any other alternative, and opts out of .NET Framework and OS default behavior. 如果你希望应用能够协商 TLS 1.2 连接,请显式设置为较低的 TLS 版本,以阻止 TLS 1.2 连接。If you want your app to be able to negotiate a TLS 1.2 connection, explicitly setting to a lower TLS version prevents a TLS 1.2 connection.

如果无法避免硬编码协议版本,我们强烈建议你指定 TLS 1.2。If you can't avoid hardcoding a protocol version, we strongly recommend that you specify TLS 1.2. 有关标识和删除 TLS 1.0 依赖项的指南,请下载解决 TLS 1.0 问题白皮书。For guidance on identifying and removing TLS 1.0 dependencies, download the Solving the TLS 1.0 Problem white paper.

WCF 支持 TLS1.0、1.1 和 1.2 作为 .NET Framework 4.7 中的默认设置。WCF Supports TLS1.0, 1.1 and 1.2 as the default in .NET Framework 4.7. 从 .NET Framework 4.7.1 开始,WCF 默认为操作系统配置的版本。Starting with .NET Framework 4.7.1, WCF defaults to the operating system configured version. 如果某个应用程序使用 SslProtocols.None 显式配置,则在使用 NetTcp 传输时,WCF 将使用操作系统默认设置。If an application is explicitly configured with SslProtocols.None, WCF uses the operating system default setting when using the NetTcp transport.

你可以在 GitHub 问题 .NET Framework 中的传输层安全性 (TLS) 最佳做法中提问有关此文档的问题。You can ask questions about this document in the GitHub issue Transport Layer Security (TLS) best practices with the .NET Framework.

审核代码并对代码进行更改Audit your code and make code changes

对于 ASP.NET 应用程序,检查 web.config<system.web><httpRuntime targetFramework> 元素,以验证你所使用的是 .NET Framework 的目标版本。For ASP.NET applications, inspect the <system.web><httpRuntime targetFramework> element of web.config to verify you're using the intended version of the .NET Framework.

有关 Windows 窗体和其他应用程序,请参阅如何:面向 .NET Framework 的某个版本For Windows Forms and other applications, see How to: Target a Version of the .NET Framework.

使用以下部分验证你未使用特定 TLS 或 SSL 版本。Use the following sections to verify you're not using a specific TLS or SSL version.

如果你的应用面向 .NET Framework 4.7 或更高版本If your app targets .NET Framework 4.7 or later versions

以下部分说明如何验证你未使用特定 TLS 或 SSL 版本。The following sections show how to verify you're not using a specific TLS or SSL version.

对于 HTTP 网络For HTTP networking

使用 .NET Framework 4.7 及更高版本的 ServicePointManager 将使用操作系统中配置的默认安全协议。ServicePointManager, using .NET Framework 4.7 and later versions, will use the default security protocol configured in the OS. 若要获取默认操作系统选择,如有可能,请不要设置 ServicePointManager.SecurityProtocol 属性的值,该值默认为 SecurityProtocolType.SystemDefaultTo get the default OS choice, if possible, don't set a value for the ServicePointManager.SecurityProtocol property, which defaults to SecurityProtocolType.SystemDefault.

由于 SecurityProtocolType.SystemDefault 设置会导致 ServicePointManager 使用由操作系统配置的默认安全协议,因此应用程序可能会根据运行的操作系统以不同的方式运行。Because the SecurityProtocolType.SystemDefault setting causes the ServicePointManager to use the default security protocol configured by the operating system, your application may run differently based on the OS it's run on. 例如,Windows 7 SP1 使用 TLS 1.0,而 Windows 8 和 Windows 10 使用 TLS 1.2。For example, Windows 7 SP1 uses TLS 1.0 while Windows 8 and Windows 10 use TLS 1.2.

针对 HTTP 网络的面向 .NET Framework 4.7 或更高版本的情况,本文剩余部分与此不相关。The remainder of this article is not relevant when targeting .NET Framework 4.7 or later versions for HTTP networking.

对于 TCP 套接字网络For TCP sockets networking

SslStream,使用 .NET Framework 4.7 和更高版本,默认为由操作系统选择最佳安全协议和版本。SslStream, using .NET Framework 4.7 and later versions, defaults to the OS choosing the best security protocol and version. 若要获取默认操作系统最佳选择,如有可能,请不要使用采取显式 SslProtocols 参数的 SslStream 的方法重载。To get the default OS best choice, if possible, don't use the method overloads of SslStream that take an explicit SslProtocols parameter. 否则,将传递 SslProtocols.NoneOtherwise, pass SslProtocols.None. 建议不要使用 Default;设置 SslProtocols.Default 会强制使用 SSL 3.0 /TLS 1.0,而不使用 TLS 1.2。We recommend that you don't use Default; setting SslProtocols.Default forces the use of SSL 3.0 /TLS 1.0 and prevents TLS 1.2.

不要设置 SecurityProtocol 属性的值(针对 HTTP 网络)。Don't set a value for the SecurityProtocol property (for HTTP networking).

不要使用采取显式 SslProtocols 参数的 SslStream 的方法重载(针对 TCP 套接字网络)。Don't use the method overloads of SslStream that take an explicit SslProtocols parameter (for TCP sockets networking). 当你将应用重定向到 .NET Framework 4.7 或更高版本时,将遵循最佳做法建议。When you retarget your app to .NET Framework 4.7 or later versions, you'll be following the best practices recommendation.

针对 TCP 套接字网络的面向 .NET Framework 4.7 或更高版本的情况,本主题剩余部分与此不相关。The remainder of this topic is not relevant when targeting .NET Framework 4.7 or later versions for TCP sockets networking.

对于使用具有证书凭据的传输安全性的 WCF TCP 传输For WCF TCP transport using transport security with certificate credentials

WCF 使用与 .NET Framework 的其余部分相同的网络堆栈。WCF uses the same networking stack as the rest of the .NET Framework.

如果你面向 4.7.1,则 WCF 将被配置为默认由操作系统选择最佳安全协议(除非显式对其配置):If you are targeting 4.7.1, WCF is configured to allow the OS to choose the best security protocol by default unless explicitly configured:

  • 在你的应用程序配置文件中。In your application configuration file.
  • 或者,在你的源代码中的应用程序中。Or, in your application in the source code.

默认情况下,.NET Framework 4.7 和更高版本将被配置为使用 TLS 1.2,并允许使用 TLS 1.1 或 TLS 1.0 进行连接。By default, .NET Framework 4.7 and later versions is configured to use TLS 1.2 and allows connections using TLS 1.1 or TLS 1.0. 通过将你的绑定配置为使用 SslProtocols.None 来配置 WCF,以允许操作系统选择最佳安全协议。Configure WCF to allow the OS to choose the best security protocol by configuring your binding to use SslProtocols.None. 可在 SslProtocols 上进行此设置。This can be set on SslProtocols. SslProtocols.None 可以从 Transport 中进行访问。SslProtocols.None can be accessed from Transport. NetTcpSecurity.Transport 可以从 Security 中进行访问。NetTcpSecurity.Transport can be accessed from Security.

如果你使用自定义绑定:If you're using a custom binding:

  • 通过将 SslProtocols 设置为使用 SslProtocols.None 来配置 WCF,以允许操作系统选择最佳安全协议。Configure WCF to allow the OS to choose the best security protocol by setting SslProtocols to use SslProtocols.None.
  • 或者,配置在配置路径 system.serviceModel/bindings/customBinding/binding/sslStreamSecurity:sslProtocols 中使用的协议。Or configure the protocol used with the configuration path system.serviceModel/bindings/customBinding/binding/sslStreamSecurity:sslProtocols.

如果你没有 使用自定义绑定, 且正使用配置来设置你的 WCF 绑定,则设置配置路径 system.serviceModel/bindings/netTcpBinding/binding/security/transport:sslProtocols 中使用的协议。If you're not using a custom binding and you're setting your WCF binding using configuration, set the protocol used with the configuration path system.serviceModel/bindings/netTcpBinding/binding/security/transport:sslProtocols.

对于具有证书凭据的 WCF 消息安全性For WCF Message Security with certificate credentials

默认情况下,.NET Framework 4.7 和更高版本使用 SecurityProtocol 属性中指定的协议。.NET Framework 4.7 and later versions by default uses the protocol specified in the SecurityProtocol property. AppContextSwitchSwitch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols 设置为 true 时,WCF 将选择最佳协议(最高至 TLS 1.0)。When the AppContextSwitch Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols is set to true, WCF chooses the best protocol, up to TLS 1.0.

如果你的应用面向 .NET Framework 4.7 之前的版本If your app targets a .NET Framework version earlier than 4.7

使用以下部分审核你的代码,以验证你未设置特定 TLS 或 SSL 版本:Audit your code to verify you're not setting a specific TLS or SSL version using the following sections:

对于 .NET Framework 4.6 - 4.6.2(而不是 WFC)For .NET Framework 4.6 - 4.6.2 and not WCF

DontEnableSystemDefaultTlsVersions``AppContext 开关设置为 falseSet the DontEnableSystemDefaultTlsVersions AppContext switch to false. 请参阅通过 AppContext 开关配置安全性See Configuring security via AppContext switches.

对于使用具有证书凭据的 TCP 传输安全性的 .NET Framework 4.6 - 4.6.2 的 WCFFor WCF using .NET Framework 4.6 - 4.6.2 using TCP transport security with Certificate Credentials

必须安装最新的操作系统修补程序。You must install the latest OS patches. 请参阅安全更新See Security updates.

除非显式配置协议版本,否则 WCF 框架将自动选择高至 TLS 1.2 的最高协议。The WCF framework automatically chooses the highest protocol available up to TLS 1.2 unless you explicitly configure a protocol version. 有关详细信息,请参阅上一部分对于使用具有证书凭据的传输安全性的 WCF TCP 传输For more information, see the preceding section For WCF TCP transport using transport security with certificate credentials.

对于 .NET Framework 3.5 - 4.5.2(而不是 WFC)For .NET Framework 3.5 - 4.5.2 and not WCF

我们建议将你的应用升级到 .NET Framework 4.7 或更高版本。We recommend you upgrade your app to .NET Framework 4.7 or later versions. 如果不能升级,请执行以下步骤。If you cannot upgrade, take the following steps. 在未来的某个时间点,如果不升级到 .NET Framework 4.7 或更高版本,你的应用程序可能会无法使用。At some point in the future, your application may fail until you upgrade to .NET Framework 4.7 or later versions.

SchUseStrongCryptoSystemDefaultTlsVersions 注册表项设置为 1。Set the SchUseStrongCrypto and SystemDefaultTlsVersions registry keys to 1. 请参阅通过 Windows 注册表配置安全性See Configuring security via the Windows Registry. .NET Framework 3.5 版本仅在传递显式 TLS 值时才支持 SchUseStrongCrypto 标志。The .NET Framework version 3.5 supports the SchUseStrongCrypto flag only when an explicit TLS value is passed.

如果在 .NET Framework 3.5 上运行,则需安装热修补程序,以便你的程序可以指定 TLS 1.2:If you are running on .NET Framework 3.5, you need to install a hot patch so that TLS 1.2 can be specified by your program:

KB3154518KB3154518 可靠性汇总 HR-1605 - 在 Windows 7 SP1 和 Server 2008 R2 SP1 上的 .NET Framework 3.5.1 中包含对 TLS 系统默认版本的支持Reliability Rollup HR-1605 - Support for TLS System Default Versions included in the .NET Framework 3.5.1 on Windows 7 SP1 and Server 2008 R2 SP1
KB3154519KB3154519 可靠性汇总 HR-1605 - 在 Windows Server 2012 上的 .NET Framework 3.5 中包含对 TLS 系统默认版本的支持Reliability Rollup HR-1605 - Support for TLS System Default Versions included in the .NET Framework 3.5 on Windows Server 2012
KB3154520KB3154520 可靠性汇总 HR-1605 - 在 Windows 8.1 and Windows Server 2012 R2 上的 .NET Framework 3.5 中包含对 TLS 系统默认版本的支持Reliability Rollup HR-1605 -Support for TLS System Default Versions included in the .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2
KB3156421KB3156421 1605 修补程序汇总 3154521 - 针对 Windows 上的 .NET Framework 4.5.2 和 4.5.11605 Hotfix rollup 3154521 for the .NET Framework 4.5.2 and 4.5.1 on Windows

对于使用具有证书凭据的 TCP 传输安全性的 .NET Framework 3.5 - 4.5.2 的 WCFFor WCF using .NET Framework 3.5 - 4.5.2 using TCP transport security with Certificate Credentials

WCF 框架的这些版本被硬编码为使用值 SSL 3.0 和 TLS 1.0。These versions of the WCF framework are hardcoded to use values SSL 3.0 and TLS 1.0. 这些值不能更改。These values cannot be changed. 必须更新和重定向到 NET Framework 4.6 或更高版本,以使用 TLS 1.1 和 TLS 1.2。You must update and retarget to NET Framework 4.6 or later versions to use TLS 1.1 and 1.2.

如果应用面向 .NET Framework 3.5If your app targets .NET Framework 3.5

如果必须显式设置安全协议,而不是由 .NET Framework 或操作系统选择安全协议,请将 SecurityProtocolTypeExtensionsSslProtocolsExtension 枚举添加到你的代码中。If you must explicitly set a security protocol instead of letting the .NET framework or the OS pick the security protocol, add SecurityProtocolTypeExtensions and SslProtocolsExtension enumerations to your code. SecurityProtocolTypeExtensionsSslProtocolsExtension 包含 Tls12Tls11 的值和 SystemDefault 值。SecurityProtocolTypeExtensions and SslProtocolsExtension include values for Tls12, Tls11, and the SystemDefault value. 请参阅在 Windows 8.1 和 Windows Server 2012 R2 上的 .NET Framework 3.5 中包含对 TLS 系统默认版本的支持See Support for TLS System Default Versions included in .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2.

通过 AppContext 开关配置安全性(适用于 .NET Framework 4.6 或更高版本)Configuring security via AppContext switches (for .NET Framework 4.6 or later versions)

如果你的应用面向 .NET Framework 4.6 或更高版本或在其上运行,则请关注本节中所述的 AppContext 开关。The AppContext switches described in this section are relevant if your app targets, or runs on, .NET Framework 4.6 or later versions. 无论它们是默认设置还是对其显式设置,开关均应为 false(如有可能)。Whether by default, or by setting them explicitly, the switches should be false if possible. 如果希望通过一个或这两个开关配置安全性,则不要在你的代码中指定安全协议值,执行此操作将会替代此开关。If you want to configure security via one or both switches, then don't specify a security protocol value in your code; doing so would override the switch(es).

无论你使用 HTTP 网络 (ServicePointManager) 还是使用 TCP 套接字网络 (SslStream),开关都具有相同的效果。The switches have the same effect whether you're doing HTTP networking (ServicePointManager) or TCP sockets networking (SslStream).

Switch.System.Net.DontEnableSchUseStrongCryptoSwitch.System.Net.DontEnableSchUseStrongCrypto

Switch.System.Net.DontEnableSchUseStrongCrypto 的值为 false 将导致你的应用使用强加密。A value of false for Switch.System.Net.DontEnableSchUseStrongCrypto causes your app to use strong cryptography. DontEnableSchUseStrongCrypto 的值为 false 将使用更为安全的网络协议(TLS 1.2、TLS 1.1 和 TLS 1.0),并阻止不安全的协议。A value of false for DontEnableSchUseStrongCrypto uses more secure network protocols (TLS 1.2, TLS 1.1, and TLS 1.0) and blocks protocols that are not secure. 有关详细信息,请参阅 SCH_USE_STRONG_CRYPTO 标志For more info, see The SCH_USE_STRONG_CRYPTO flag. 值为 true 将为你的应用禁用强加密。A value of true disables strong cryptography for your app.

如果你的应用面向 .NET Framework 4.6 或更高版本,则该开关默认为 falseIf your app targets .NET Framework 4.6 or later versions, this switch defaults to false. 这是我们建议使用的安全默认值。That's a secure default, which we recommend. 如果你的应用在 .NET Framework 4.6 上运行,但面向早期版本,则开关默认为 trueIf your app runs on .NET Framework 4.6, but targets an earlier version, the switch defaults to true. 在这种情况下,应显式将其设置为 falseIn that case, you should explicitly set it to false.

如果需要连接到不支持强加密且无法升级的旧服务,则 DontEnableSchUseStrongCrypto 的值只能为 trueDontEnableSchUseStrongCrypto should only have a value of true if you need to connect to legacy services that don't support strong cryptography and can't be upgraded.

Switch.System.Net.DontEnableSystemDefaultTlsVersionsSwitch.System.Net.DontEnableSystemDefaultTlsVersions

Switch.System.Net.DontEnableSystemDefaultTlsVersions 的值为 false 将导致你的应用允许操作系统选择协议。A value of false for Switch.System.Net.DontEnableSystemDefaultTlsVersions causes your app to allow the operating system to choose the protocol. 值为 true 将导致你的应用使用由 .NET Framework 选取的协议。A value of true causes your app to use protocols picked by the .NET Framework.

如果你的应用面向 .NET Framework 4.7 或更高版本,则此开关默认为 falseIf your app targets .NET Framework 4.7 or later versions, this switch defaults to false. 这是我们建议使用的安全默认值。That's a secure default that we recommend. 如果你的应用在 .NET Framework 4.7 或更高版本上运行,但面向早期版本,则开关默认为 trueIf your app runs on .NET Framework 4.7 or later versions, but targets an earlier version, the switch defaults to true. 在这种情况下,应显式将其设置为 falseIn that case, you should explicitly set it to false.

Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocolsSwitch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols

Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols 的值为 false 将导致你的应用程序使用 ServicePointManager.SecurityProtocols 中定义的值,以确保使用证书凭据的消息的安全性。A value of false for Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols causes your application to use the value defined in ServicePointManager.SecurityProtocols for message security using certificate credentials. 值为 true 将使用可用的最高协议(高至 TLS1.0)A value of true uses the highest protocol available, up to TLS1.0

对于面向 .NET Framework 4.7 和更高版本的应用程序,此值默认为 falseFor applications targeting .NET Framework 4.7 and later versions, this value defaults to false. 对于面向 .NET Framework 4.6.2 和早期版本的应用程序,此值默认为 trueFor applications targeting .NET Framework 4.6.2 and earlier, this value defaults to true.

Switch.System.ServiceModel.DontEnableSystemDefaultTlsVersionsSwitch.System.ServiceModel.DontEnableSystemDefaultTlsVersions

Switch.System.ServiceModel.DontEnableSystemDefaultTlsVersions 的值为 false 将设置默认配置,以允许操作系统选择协议。A value of false for Switch.System.ServiceModel.DontEnableSystemDefaultTlsVersions sets the default configuration to allow the operating system to choose the protocol. 值为 true 会将默认值设置为可用的最高协议(高至 TLS1.2)。A value of true sets the default to the highest protocol available, up to TLS1.2.

对于面向 .NET Framework 4.7.1 和更高版本的应用程序,此值默认为 falseFor applications targeting .NET Framework 4.7.1 and later versions, this value defaults to false. 对于面向 .NET Framework 4.7 和早期版本的应用程序,此值默认为 trueFor applications targeting .NET Framework 4.7 and earlier, this value defaults to true.

有关 TLS 协议的详细信息,请参阅缓解措施:TLS 协议For more information about TLS protocols, see Mitigation: TLS Protocols. 有关 AppContext 开关的详细信息,请参阅 <AppContextSwitchOverrides> ElementFor more information about AppContext switches, see <AppContextSwitchOverrides> Element.

通过 Windows 注册表配置安全性Configuring security via the Windows Registry

警告

设置注册表项会影响系统上的所有应用程序。Setting registry keys affects all applications on the system. 仅当你完全控制计算机并可以控制对注册表的更改时才可使用此选项。Use this option only if you are in full control of the machine and can control changes to the registry.

如果不能设置一个或两个 AppContext 开关,可以使用本节中所述的 Windows 注册表项来控制应用所使用的安全协议。If setting one or both AppContext switches isn't an option, you can control the security protocols that your app uses with the Windows Registry keys described in this section. 如果你的应用在 .NET Framework 4.5.2 或之前的版本上运行或你无法编辑配置文件,则可能无法使用一个或两个 AppContext 开关。You might not be able to use one or both the AppContext switches if your app runs on .NET Framework 4.5.2 or earlier versions, or if you can't edit the configuration file. 如果想要在注册表中配置安全性,则不要在你的代码中指定安全协议,这样做将会替代该注册表设置。If you want to configure security with the registry, don't specify a security protocol value in your code; doing so overrides the registry setting.

注册表项的名称类似于相应 AppContext 开关的名称,但其不带预置的 DontEnableThe names of the registry keys are similar to the names of the corresponding AppContext switches but without a DontEnable prepended to the name. 例如,AppContext 开关 DontEnableSchUseStrongCrypto 是名为 SchUseStrongCrypto 的注册表项。For example, the AppContext switch DontEnableSchUseStrongCrypto is the registry key called SchUseStrongCrypto.

这些注册表项适用于安装了最新安全修补程序的所有 .NET Framework 版本。These keys are available in all .NET Framework versions for which there's a recent security patch. 请参阅安全更新See Security updates.

无论你使用 HTTP 网络 (ServicePointManager) 还是使用 TCP 套接字网络 (SslStream),下面介绍的所有注册表项都具有相同的效果。All of the registry keys described below have the same effect whether you're doing HTTP networking (ServicePointManager) or TCP sockets networking (SslStream).

SchUseStrongCryptoSchUseStrongCrypto

HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\<VERSION>: SchUseStrongCrypto 注册表项具有类型为 DWORD 的值。The HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\<VERSION>: SchUseStrongCrypto registry key has a value of type DWORD. 值为 1 将导致你的应用使用强加密。A value of 1 causes your app to use strong cryptography. 强加密会使用更为安全的网络协议(TLS 1.2、TLS 1.1 和 TLS 1.0),并阻止不安全的协议。The strong cryptography uses more secure network protocols (TLS 1.2, TLS 1.1, and TLS 1.0) and blocks protocols that are not secure. 值为 0 将禁用强加密。A value of 0 disables strong cryptography. 有关详细信息,请参阅 SCH_USE_STRONG_CRYPTO 标志For more information, see The SCH_USE_STRONG_CRYPTO flag.

如果你的应用面向 .NET Framework 4.6 或更高版本,则此注册表项默认值为 1。If your app targets .NET Framework 4.6 or later versions, this key defaults to a value of 1. 这是我们建议使用的安全默认值。That's a secure default that we recommend. 如果你的应用在 .NET Framework 4.6 上运行,但面向早期版本,则注册表项默认为 0。If your app runs on .NET Framework 4.6, but targets an earlier version, then the key defaults to 0. 在这种情况下,应显式将其值设置为 1。In that case, you should explicitly set its value to 1.

如果需要连接到不支持强加密且无法升级的旧服务,则此注册表项的值只能为 0。This key should only have a value of 0 if you need to connect to legacy services that don't support strong cryptography and can't be upgraded.

SystemDefaultTlsVersionsSystemDefaultTlsVersions

HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\<VERSION>: SystemDefaultTlsVersions 注册表项具有类型为 DWORD 的值。The HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\<VERSION>: SystemDefaultTlsVersions registry key has a value of type DWORD. 值为 1 将导致你的应用允许操作系统选择协议。A value of 1 causes your app to allow the operating system to choose the protocol. 值为 0 将导致你的应用使用由 .NET Framework 选取的协议。A value of 0 causes your app to use protocols picked by the .NET Framework.

<VERSION> 必须为 v4.0.30319(对于 .NET Framework 4 和更高版本)或 v2.0.50727(对于 .NET Framework 3.5)。<VERSION> must be v4.0.30319 (for .NET Framework 4 and above) or v2.0.50727 (for .NET Framework 3.5).

如果你的应用面向 .NET Framework 4.7 或更高版本,则此注册表项默认值为 1。If your app targets .NET Framework 4.7 or later versions, this key defaults to a value of 1. 这是我们建议使用的安全默认值。That's a secure default that we recommend. 如果你的应用在 .NET Framework 4.7 或更高版本上运行,但面向早期版本,则注册表项默认值为 0。If your app runs on .NET Framework 4.7 or later versions, but targets an earlier version, the key defaults to 0. 在这种情况下,应显式将其值设置为 1。In that case, you should explicitly set its value to 1.

有关详细信息,请参阅 Windows 10 版本 1511 和 Windows Server 2016 Technical Preview 4 的累积更新:2016 年 5 月 10 日For more info, see Cumulative Update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: May 10, 2016.

有关 .NET Framework 3.5.1 中的详细信息,请参阅在 Windows 7 SP1 和 Server 2008 R2 SP1 上的 .NET Framework 3.5.1 中包含对 TLS 系统默认版本的支持For more information with .NET framework 3.5.1, see Support for TLS System Default Versions included in .NET Framework 3.5.1 on Windows 7 SP1 and Server 2008 R2 SP1.

以下 .REG 文件将注册表项及其变量设置为其最安全的值:The following .REG file sets the registry keys and their variants to their most safe values:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

在 Windows 注册表中配置 Schannel 协议Configuring Schannel protocols in the Windows Registry

可以使用注册表细化控制你的客户端和/或服务器应用协商的协议。You can use the registry for fine-grained control over the protocols that your client and/or server app negotiates. 你的应用的网络将遍历 Schannel(它是安全通道的另一个名称)。Your app's networking goes through Schannel (which is another name for Secure Channel. 通过配置 Schannel,可以配置你的应用的行为。By configuring Schannel, you can configure your app's behavior.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols 注册表项开始。Start with the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols registry key. 在该注册表项下,可以在集 SSL 2.0SSL 3.0TLS 1.0TLS 1.1TLS 1.2 中创建任何子项。Under that key you can create any subkeys in the set SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2. 在每个子项下,可以创建子项 Client 和/或 ServerUnder each of those subkeys, you can create subkeys Client and/or Server. ClientServer 下,可以创建 DWORD 值 DisabledByDefault(0 或 1)和 Enabled(0 或 0xFFFFFFFF)。Under Client and Server, you can create DWORD values DisabledByDefault (0 or 1) and Enabled (0 or 0xFFFFFFFF).

SCH_USE_STRONG_CRYPTO 标志The SCH_USE_STRONG_CRYPTO flag

启用后(默认情况下,通过 AppContext 开关或 Windows 注册表启动),当你的应用请求 TLS 安全协议时,.NET Framework 将使用 SCH_USE_STRONG_CRYPTO 标志。When it's enabled (by default, by an AppContext switch, or by the Windows Registry), the .NET Framework uses the SCH_USE_STRONG_CRYPTO flag when your app requests a TLS security protocol. 可以通过 AppContext 开关或注册表来默认启用 SCH_USE_STRONG_CRYPTO 标志。The SCH_USE_STRONG_CRYPTO flag can be enabled by default, with the AppContext switch, or with the Registry. 操作系统将标志传递到 Schannel,以指示它禁用已知弱加密算法、密码套件和 TLS/SSL 协议版本(否则,可能会启用该协议以获得更好的互操作性)。The OS passes the flag to Schannelto instruct it to disable known weak cryptographic algorithms, cipher suites, and TLS/SSL protocol versions that may be otherwise enabled for better interoperability. 有关详细信息,请参见:For more information, see:

当你显式使用 SecurityProtocolTypeSslProtocolsTls (TLS 1.0)、Tls11Tls12 枚举的值时,SCH_USE_STRONG_CRYPTO 标志还将被传递到 SchannelThe SCH_USE_STRONG_CRYPTO flag is also passed to Schannel when you explicitly use the Tls (TLS 1.0), Tls11, or Tls12 enumerated values of SecurityProtocolType or SslProtocols.

安全更新Security updates

本文中的最佳做法将取决于最新安装的安全更新。The best practices in this article depend on recent security updates being installed. 这些更新包括使用高级 .NET Framework 4.7 和更高版本的功能。These updates include the ability to use advanced .NET Framework 4.7 and later features. 如果你的应用在 .NET Framework 4.7 和更高版本上运行,则最新安全更新很重要(即使它面向早期版本)。Recent security updates are important if your app runs on .NET Framework 4.7 and later versions (even if it targets an earlier version).

若要更新 .NET Framework,以允许操作系统选择要使用的 TLS 的最佳版本,必须至少安装:To update the .NET Framework to allow the operating system to choose the best version of TLS to use, you must install at least:

另请参阅:See also:

支持 TLS 1.2Support for TLS 1.2

为使你的应用与 TLS 1.2 协商,操作系统和 .NET Framework 版本均需支持 TLS 1.2。For your app to negotiate TLS 1.2, the OS and the .NET Framework version both need to support TLS 1.2.

支持 TLS 1.2 的操作系统要求Operating system requirements to support TLS 1.2

若要在支持它们的系统上启用或重新启用 TLS 1.2 和/或 TLS 1.1,请参阅传输层安全性 (TLS) 注册表设置To enable or re-enable TLS 1.2 and/or TLS 1.1 on a system that supports them, see Transport Layer Security (TLS) registry settings.

操作系统 OS TLS 1.2 支持 TLS 1.2 support
Windows 10Windows 10
Windows 2016 ServerWindows Server 2016
默认情况下支持和启用。Supported, and enabled by default.
Windows 8.1Windows 8.1
Windows Server 2012 R2Windows Server 2012 R2
默认情况下支持和启用。Supported, and enabled by default.
Windows 8.0Windows 8.0
Windows Server 2012Windows Server 2012
默认情况下支持和启用。Supported, and enabled by default.
Windows 7 SP1Windows 7 SP1
Windows Server 2008 R2 SP1Windows Server 2008 R2 SP1
默认情况下支持但不启用。Supported, but not enabled by default. 请参阅传输层安全性 (TLS) 注册表设置网页,以详细了解如何启用 TLS 1.2。See the Transport Layer Security (TLS) registry settings web page for details on how to enable TLS 1.2.
Windows Server 2008Windows Server 2008 支持 TLS 1.2 和 TLS 1.1 需要更新。Support for TLS 1.2 and TLS 1.1 requires an update. 请参阅更新以在 Windows Server 2008 SP2 中添加对 TLS 1.1 和 TLS 1.2 的支持See Update to add support for TLS 1.1 and TLS 1.2 in Windows Server 2008 SP2.
Windows VistaWindows Vista 不支持。Not supported.

若要详细了解在每个版本的 Windows 上默认启用的 TLS/SSL 协议,请参阅 TLS/SSL 中的协议 (Schannel SSP)For information about which TLS/SSL protocols are enabled by default on each version of Windows, see Protocols in TLS/SSL (Schannel SSP).

在 .NET Framework 3.5 中支持 TLS 1.2 的要求Requirements to support TLS 1.2 with .NET Framework 3.5

下表显示在 .NET Framework 3.5 中支持 TLS 1.2 所需的操作系统更新。This table shows the OS update you'll need to support TLS 1.2 with .NET Framework 3.5. 我们建议你应用所有操作系统更新。We recommend you apply all OS updates.

操作系统 OS .NET Framework 3.5 中支持 TLS 1.2 所需的最低更新Minimum update needed to support TLS 1.2 with .NET Framework 3.5
Windows 10Windows 10
Windows 2016 ServerWindows Server 2016
Windows 10 版本 1511 和 Windows Server 2016 Technical Preview 4 的累积更新:2016 年 5 月 10 日Cumulative Update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: May 10, 2016
Windows 8.1Windows 8.1
Windows Server 2012 R2Windows Server 2012 R2
在 Windows 8.1 和 Windows Server 2012 R2 上的 .NET Framework 3.5 中包含对 TLS 系统默认版本的支持Support for TLS System Default Versions included in the .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2
Windows 8.0Windows 8.0
Windows Server 2012Windows Server 2012
在 Windows Server 2012 R2 上的 .NET Framework 3.5 中包含对 TLS 系统默认版本的支持Support for TLS System Default Versions included in the .NET Framework 3.5 on Windows Server 2012
Windows 7 SP1Windows 7 SP1
Windows Server 2008 R2 SP1Windows Server 2008 R2 SP1
在 Windows 7 SP1 和 Server 2008 R2 SP1 上的 .NET Framework 3.5.1 中包含对 TLS 系统默认版本的支持Support for TLS System Default Versions included in the .NET Framework 3.5.1 on Windows 7 SP1 and Server 2008 R2 SP1
Windows Server 2008Windows Server 2008 在 Windows Vista SP2 和 Server 2008 SP2 上的 .NET Framework 2.0 SP2 中包含对 TLS 系统默认版本的支持Support for TLS System Default Versions included in the .NET Framework 2.0 SP2 on Windows Vista SP2 and Server 2008 SP2
Windows VistaWindows Vista 不支持Not supported

Azure 云服务Azure Cloud Services

如果你使用 Azure 云服务 Web 角色和辅助角色来托管和运行应用程序,则需要考虑一些注意事项,以支持 TLS 1.2。If you are using Azure Cloud Services Web and Worker roles to host and run your application, there are some considerations that you need to take into account to support TLS 1.2.

默认情况下在 Azure 来宾操作系统上未安装 .NET Framework 4.7.NET Framework 4.7 is not installed on Azure Guest OS by default

在最新的 Azure 来宾操作系统系列 5 版本(Windows Server 2016)中安装的最新版本是 4.6.2。The latest version installed in the latest Azure Guest OS Family 5 release (Windows Server 2016) is 4.6.2. 若要查看每个 Azure 来宾操作系统上所安装的 .NET Framework 版本,请参阅 Azure 来宾操作系统版本和 SDK 兼容性矩阵To see which versions of .NET Framework are installed on each Azure Guest OS, see the Azure Guest OS releases and SDK compatibility matrix.

如果你的应用程序面向的 .NET Framework 版本在 Azure 来宾操作系统上不可用,则需自行安装它。If your app targets a .NET Framework version that is not available on the Azure Guest OS version, then you need to install it yourself. 请参阅在 Azure 云服务角色上安装 .NETSee Install .NET on Azure Cloud Service Roles. 如果框架安装需要重启,则在进入“就绪”状态前,服务角色可能也会重启。If the framework installation requires a restart, the service roles might also restart before entering the Ready state.

Azure 来宾操作系统注册表设置Azure Guest OS registry settings

Azure 云服务的 Azure 来宾操作系统系列 5 图像已经具有将值设置为 1 的 SchUseStrongCrypto 注册表项。The Azure Guest OS Family 5 image for Azure Cloud Services already has the SchUseStrongCrypto registry key set to a value of 1. 有关详细信息,请参阅 SchUseStrongCryptoFor more information, see SchUseStrongCrypto.

SystemDefaultTlsVersions 注册表项设置为 1。Set the SystemDefaultTlsVersions registry key to 1. 请参阅通过 Windows 注册表配置安全性See Configuring security via the Windows Registry.