Force TLS in .NET
Versions before ASP.NET 4.7 default to making outbound connections using TLS 1.0. This is a real problem for security for many reasons. It’s now been deprecated with many CVEs. Some of these vulnerabilities make TLS 1.0 vulnerable to man-in-the-middle attacks. A lot of APIs will not accept incoming requests from TLS 1.0 because of this.
TLS 1.0 Vulnerabilities
ASP.NET
It’s easy to fix this by simply adding the code below in the global.asax file.
1 2 |
// force TLS 1.2 System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12 |
In this sample, we are using a standard ASP.NET MVC 4.5.2 project.
1 2 3 4 5 6 7 8 9 10 11 12 13 |
public class WebApiApplication : System.Web.HttpApplication { protected void Application_Start() { AreaRegistration.RegisterAllAreas(); GlobalConfiguration.Configure(WebApiConfig.Register); FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters); RouteConfig.RegisterRoutes(RouteTable.Routes); SimpleInjectorConfig.ConfigureInjector(); // force TLS 1.2 System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12; } |