Force TLS in .NET

Versions before ASP.NET 4.7 default to making outbound connections using TLS 1.0. This is a real problem for security for many reasons. It’s now been deprecated with many CVEs. Some of these vulnerabilities make TLS 1.0 vulnerable to man-in-the-middle attacks. A lot of APIs will not accept incoming requests from TLS 1.0 because of this.

TLS 1.0 Vulnerabilities

CVE-2011-3389

ASP.NET

It’s easy to fix this by simply adding the code below in the global.asax file.

// force TLS 1.2
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12

In this sample, we are using a standard ASP.NET MVC 4.5.2 project.

    public class WebApiApplication : System.Web.HttpApplication
    {
        protected void Application_Start()
        {
            AreaRegistration.RegisterAllAreas();
            GlobalConfiguration.Configure(WebApiConfig.Register);
            FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
            RouteConfig.RegisterRoutes(RouteTable.Routes);
            SimpleInjectorConfig.ConfigureInjector();

            // force TLS 1.2
            System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;
        }