Tuesday, August 25, 2015

How to make .Net 4.0 & 4.5 use TLS 1.2

Basics of HTTP(S)

Unless its not for fun, all the web sites needs to be hosted using http(s). Is http(s) that much important? I will say yes. Otherwise there are chances that our site will be viewed by people with different content than what we published. The web page is not directly sent from web server to the client computer. It goes through various devices which can manipulate the content inside the site. eg: I as a free Wi-Fi provider can inject my own ads into the sites if they are simply using plain http connection. There were incidents happened as well.

Yes it is important to have our web site served via http(s) to make sure our customer are seeing what we are sending them. How http(s) is solving this. Simply saying, it uses encryption when the web page contents are transmitted. So no one can see the content who has access to the intermediate devices. Even if they inject some content, it won't get displayed in our browser as browser will not be able to decrypt the modified contents.

People who are curious on internal will have many questions by now. If our browser say Chrome can decrypt the content why can't someone who has Chrome browser source code decrypt the same to see the contents.

Welcome to the world of security!!! There are concepts of encryption keys. Only people with key can decrypt the encrypted content. Ok in this case if we have the key to decrypt the contents why can the attacker obtains the same key from the web server by accessing the same site from browser? That is solved with key exchange and usage of asymmetric and symmetric encryptions wisely. What is key exchange? It is sequence of steps involved to establish communication between 2 parties and here its web server and client browser. This process is called the secure http protocol.

Its enough and getting more complicated. Interested readers can please go through the links below to understand it more. 

Others just continue on the assumption that http(s) is the silver bullet to make sure what our viewers seeing is what we sent from server.

Versions of http(secure)

Ensuring security is always a continuous process. There are chances that there may be a new flaw in protocol in future and we need to fix that issue. It becomes next version of protocol. When the issue is fixed by specs the existing web servers and browsers also needs to be fixed and it leads to their next version or patch. 

But can we expect all the people in the world updates their browser as soon as the new fixed version or patch is released? Can the new fixed browsers assume that all the web servers its communicated are updated with latest protocol version? Absolutely no. This requires different versions of this communication protocol to be live side by side in the internet. It is the duty of the communicators to settle in what protocol to be used. When we say protocol it includes the encryption details, key exchange details etc...

Wiki will give more details on secure http versions and the latest as of today is TLS 1.2 and TLS 1.3 is in draft.

Fallbacks

As we seen earlier, https is a protocol before starting both parties involved in communication needs to agree on the method. It is not much complicated. Obviously one party needs to tell that what it is supported and the server selects the latest technique. Though one party is capable of using latest protocol, it may not use that as the other end doesn't know and this is called fallback.

Check what is our client browser is using

We saw that http(s) will solve a big security issue. It needs a server side web server software and client side browser software who understands the encryption algorithms. Also it is versioned

Is our browser capable of working with latest http(s) which is TLS 1.2? Just browse to the below url to see what is the protocols supported in our browser.

https://www.howsmyssl.com/

They provide API as well which our application can call and understand what it can support. We will be seeing how an application can check this shortly

https://www.howsmyssl.com/a/check

Check whether web site is using SSL/TLS?

Similarly if we want to check whether a particular site is using secure http go to below url and enter the web site url.

https://www.ssllabs.com/ssltest/

Tools to inspect the network communication

If we want to ensure the protocol at the low levels of system we can use tools such as wireshark and all. Those tools help us to inspect the messages in byte level.


How to host a web site in https

What ever we discussed above was all general and nothing related to software development. Lets see how a web site can be hosted with secure http protocol.

The basic need for this is a certificate which is used as key in encryption. We can create self sighed certificate or buy from certificate issuing authority. Once we have the certificate, it can be associated with our web site via web server. How to associate the certificate with web site changes from technology to technology.  Below is a link which explains how a site can be hosted securely using https protocol in IIS web server.

How to access SSL site from .Net

We can write applications which can request web sites for web pages as well as data in the same way browser application is requesting data. In MIcrosoft .Net there are many ways such as WebClient, WCF etc...

Below is the code which can be used to access https://www.howsmyssl.com API from C#.Net application.

var response = WebRequest.Create("https://www.howsmyssl.com/a/check").GetResponse();
var responseData = new StreamReader(response.GetResponseStream()).ReadToEnd();
Console.WriteLine(responseData);


On console we can see response similar to this.

Hosting WCF Service using http(s)

Hosting WCF using http(s) is not much different than hosting a web site using https. Differences mainly include changes in the web.config file to use Transport security. Below is a link which explains how we can host a WCF web service via http(s)

Accessing http(s) WCF Service from .Net client

Similarly when we are consuming WCF service hosted via https, we need to make sure the service client is configured to use Transport security. Below link explains how a .Net client can access http WCF service. Just change the binding security to Transport in web.config

Why TLS 1.2

Lets come to TLS 1.2. As we have seen above, the latest version of secure http protocol is TLS 1.2. It means there were problems in earlier versions and its fixed in 1.2. So we need to make sure that as a security conscious user our browsers needs to be upgraded to support TLS 1.2. Will upgrading browser make sure all the connections are using TLS 1.2 protocol? 

No if we are accessing a web site which is hosted in a environment without TLS 1.2, our browser will fall back to older protocol version. If we want to avoid falling back to TLS 1.2, we can change the settings in all modern browsers such as ChromeFirefox and IE to always use TLS 1.2 and that is recommended.

More interested readers can google and see what are the changes happened in TLS 1.2 which is based on TLS 1.1.

Obviously as a responsive software engineer, we should make sure all our web applications must be supporting TLS 1.2 which is the latest at this moment. Need to use proper web servers and technologies to support the same. If we are not moving with the crowd it is very difficult to sustain in the market.

Enable TLS 1.2 at OS level

Not every windows operating systems are equipped with TLS 1.2 by default. Below is a link explains how to enable TLS 1.2 in Windows 2008R2,Windows 7 and IIS 7.5. I believe people are still using these versions. 

http://www.derekseaman.com/2010/06/enable-tls-12-aes-256-and-sha-256-in.html
http://tecadmin.net/enable-tls-on-windows-server-and-iis/

In Windows Server 2012 & Windows 8.1 TLS 1.2 is enabled by default.

Not that this will make sure the TLS 1.2 is enabled at OS level. Also the default apps such as IIS web server and IE browser will also follow the same protocol by default. Basically there is a system level dll called schannel.dll which is responsible for this secure communication and applications are calling the API provided by it to have secure communication. Obviously there are applications which are not replying on schannel to do communication. eg:Chroms and Firefox are not using this schannel so they can use TLS 1.2 even when they are running inside Windows Vista.

Similarly when we say Windows Vista, 2008 and below are not supporting TLS 1.2, we should understand that their schannel.dll doesn't have support for the protocol.


TLS 1.2 and Microsoft.Net

Now lets focus on using TLS 1.2 in .Net world. We need to make sure that the web sites are served via TLS 1.2 protocol and client apps which are consuming the same need to support TLS 1.2. .Net is running on top of operating system and mostly its windows. If host windows supports TLS 1.2 .Net can also support TLS 1.2 as it relies on schannel.dll1

The first task here is to make sure we are using the right tools and technologies.

TLS 1.2 and .Net Framework 4.5

.Net is also versioned. Versions below 4.5*doesn't know how to communicate via TLS 1.2.In .Net 4.5 the TLS 1.2 is enabled by default. Simply compile our applications in ,Net 4.5 and we will get TLS 1.2 communication for our applications.

How to make .Net 4.0 app talk using TLS 1.2

Technically speaking just recompile existing older application to .Net 4.5 to get TLS 1.2 support. It sounds simple as everybody expecting that there are no breaking changes in .Net 4.5 and our application will function as is. But if we are serious about delivering quality software we also need to test entire app in 4.5 before shipping. It really adds cost.

Lets see if there are any ways to use TLS 1.2 by .Net 4.0 apps.

System.dll overwrite

When we install .Net 4.5 its basically adding changes on top of .Net 4.0. In other words the System.dll used for 4.0 apps will be overwritten to 4.5 version of System.dll. So there are possibilities that .Net 4.0 apps will execute 4.5 code when they access functions in System.dll. Which means if we have .Net 4.5 installed in the machine where our .Net 4.0 is running it can take advantage of TLS1.2. All our solutions below are depending on this factor.

Below links explains the .Net versioning and overwriting.

1.Code change in 4.0 to use TLS 1.2

Now its the matter of changing the default protocol used by 4.0 to TLS 1.2. This can be done by forcefully changing the  protocol as below.

ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;//SecurityProtocolType.Tls1.2;


If we look at the SecurityProtocolType enum for .Net 4.0, we will not be able to see the TLS1.2. But in 4.5 we can see that. So .Net 4.0 will not compile if we use TLS1.2 enum value. But if we use the TLS1.2 enum number it will compile and at runtime since the .Net 4.0's System.dll is replaced with 4.5 the cast will work. 

Please note that this will fail if we are running the same app in a machine which don't have 4.5 installed. Recommended only for servers where its easy to manage the .Net version.

2.Registry change to force .Net 4.0 to use TLS 1.2

If we inspect the .Net 4.5 ServicePointManager source code we can see that the default protocol is depending on the below registry entry.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319: SchUseStrongCrypto to DWORD 1

The default value will be 0. Simply change this to 1 to get .Net 4.5 System.dll use TLS 1.2. Since our 4.0 application uses 4.5 System.dll 4.0 gets TLS 1.2 support.

http://stackoverflow.com/questions/28286086/default-securityprotocol-in-net-4-5

References

https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Client_.28Browser.29_Configuration
https://www.simple-talk.com/dotnet/.net-framework/tlsssl-and-.net-framework-4.0/
https://msdn.microsoft.com/en-us/library/system.security.authentication.sslprotocols(v=vs.110).aspx
https://istlsfastyet.com/
http://blogs.msdn.com/b/benjaminperkins/archive/2014/11/04/using-tls-1-2-with-wcf.aspx
http://blogs.msdn.com/b/benjaminperkins/archive/2011/10/07/secure-channel-compatibility-support-with-ssl-and-tls.aspx
http://www.dotnetnoob.com/2013/10/hardening-windows-server-20082012-and.html


1 - This is as of my understanding. Was not able to get any authentic links.
*-As far as my understanding TLS 1.2 support came from .Net 4.5. I am using 4.5.2 currently.

16 comments:

Unknown said...

The registry key given in 2.Registry change to force .Net 4.0 to use TLS 1.2 is great... for 64bit apps. You should probably also specify this for the equivalent key in the virtualized registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

John said...

I am looking for a solution that in my Dot net app under IIS to call TLS 1.2 while keep using .Net framework 4.0. From this post, I saw Joymon was talking about some working around. Did anyone try to use private assembling that using system.dll overwrite without installing Framework 4.5 to get app work to call other service that support TLS 1.2 only?

Thanks

Ahammad Firoj said...

Actually this one line code is needed for enabling Tls1.2 in .net 4.0

ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;

Thanks a lot. It is really working

Khushboo Murad said...

Hi Firoj,

Did you install .net Framework 4.5 ? If not then where did you write this piece of code ?
ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;


Thanks,
Khushboo

N.Ragavendhran said...

Hi Ms Murad,

What Firoj saying is he had installed the 4.5 in his machine. But he don't want to migrate his whole application from 4.0 to 4.5 just only for this amend. So he implemented the Tls1.2 in 4.0 application from dev side and it will run on 4.5 installed machine.

Am i right Firoj?

Ragav

Joymon said...

Thanks for the answers. Even you don't need any code change, if your app is 4.0 but 4.5 is installed in the machine. Just do the registry change.

ARUN said...

Hi, I am trying to use (SecurityProtocolType)3072 in an which uses an API call in an application which uses .Net Framework 4.0 and the server in which i host the application has .Net Framework 4.0 in it.But i am still getting the error as :
Error: The requested security protocol is not supported.. at System.Net.ServicePointManager.set_SecurityProtocol(SecurityProtocolType value).
Can i proceed with the registry change to get it fixed?

desk_star said...

@ARUN does your OS support TLS 1.2?

desk_star said...

@ARUN and of course you need .Net 4.5 installed anyway.

desk_star said...

From the reference source code:

//.Net 4.5.2 and below will default to false unless the registry key is specifically set to 1.
schUseStrongCryptoKeyValue =
RegistryConfiguration.GlobalConfigReadInt(strongCryptoValueName, 0);

disableStrongCryptoInternal = schUseStrongCryptoKeyValue != 1;

So even .Net 4.5.2 even though it supports strong encryption (TLS 1.2) will not use it by default? Is that correct?

ARUN said...

Thanks for the info @desk_star

Blogger said...

Get all the best alcoholic drinks on Duty Free Depot!

All the world famous brand name beverages for unbelievable low prices.

Abiya Carol said...

But in my opinion, I already get more than enough through Microsoft's newsletters through their cloud, partner and tech programs that I don't really have time for following blogs unless I accidentally stumble upon one through the practise of my google-fu.

dotnet training in chennai

Karthika Shree said...

Excellent and very cool idea and the subject at the top of magnificence and I am happy to this post..Interesting post! Thanks for writing it.What's wrong with this kind of post exactly? It follows your previous guideline for post length as well as clarity.
Dot Net Training in Chennai

Blogger said...

If you want your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (no matter why you broke up) you got to watch this video
right away...

(VIDEO) Why your ex will NEVER come back...

Blogger said...

Quantum Binary Signals

Professional trading signals delivered to your mobile phone every day.

Start following our signals today and gain up to 270% per day.