Home Software Development .NET Force TLS in .NET

Force TLS in .NET

1662

Force TLS in .NET

Versions before ASP.NET 4.7 default to making outbound connections using TLS 1.0. This is a real problem for security for many reasons. It’s now been deprecated with many CVEs. Some of these vulnerabilities make TLS 1.0 vulnerable to man-in-the-middle attacks. A lot of APIs will not accept incoming requests from TLS 1.0 because of this.

TLS 1.0 Vulnerabilities

CVE-2011-3389

ASP.NET

It’s easy to fix this by simply adding the code below in the global.asax file.

// force TLS 1.2
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12

In this sample, we are using a standard ASP.NET MVC 4.5.2 project.

    public class WebApiApplication : System.Web.HttpApplication
    {
        protected void Application_Start()
        {
            AreaRegistration.RegisterAllAreas();
            GlobalConfiguration.Configure(WebApiConfig.Register);
            FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
            RouteConfig.RegisterRoutes(RouteTable.Routes);
            SimpleInjectorConfig.ConfigureInjector();

            // force TLS 1.2
            System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;
        }