Reading Time: < 1 minute

Force TLS in .NET

Versions before ASP.NET 4.7 default to making outbound connections using TLS 1.0. This is a real problem for security for many reasons. It’s now been deprecated with many CVEs. Some of these vulnerabilities make TLS 1.0 vulnerable to man-in-the-middle attacks. A lot of APIs will not accept incoming requests from TLS 1.0 because of this.

TLS 1.0 Vulnerabilities

CVE-2011-3389

ASP.NET

It’s easy to fix this by simply adding the code below in the global.asax file.

In this sample, we are using a standard ASP.NET MVC 4.5.2 project.