强制HttpClient强制TSL高于1.0 [英] Forcing HttpClient to enforce TSL higher than 1.0
问题描述
我的WPF应用程序连接到Azure Web API.端点将配置为拒绝访问任何非安全(HTTP)或安全性较弱(带有TLS 1.0或更旧版本的HTTPS)请求.但是我也希望我的应用程序永远不要尝试发送不安全或安全性较弱的请求.
My WPF app connects to an Azure Web API. The endpoints will be configured to deny access to any non secured (HTTP) or weakly secured (HTTPS with TLS 1.0 or older) requests. But I also want my App to never even try sending non secured or weakly secured requests.
Microsoft建议在此处和那里以Framework 4.7为目标并离开
Microsoft recommends here and there to target the Framework 4.7 and to leave ServicePointManager.SecurityProtocol to its default value so that the OS determines what protocol to use.
我提到的第二篇文章还指出Windows 7将依赖TLS 1.0,强烈建议不要依赖TLS 1.0.因此,我知道我可以信任操作系统以获取其可获得的最佳安全性,但是如果最佳选择仍然是一个糟糕的选择,则不能信任操作系统不发送请求.
The second article I mentioned also indicates Windows 7 will rely on TLS 1.0, just a few lines after having highly recommended not to rely upon TLS 1.0. So I understand I can trust the OS to get the best layer of security it has available, but cannot trust the OS for not sending a request if the best option is still a bad option.
我的应用依赖于System.Net.Http.HttpClient.我想确保通过此客户端拨打的电话是:
My App relies on System.Net.Http.HttpClient. I would like to make sure that the calls I make through this client are:
- 始终固定.也就是说,始终使用HTTPS,从不使用HTTP.
- 始终保持足够的水平.也就是说,至少要依赖TLS 1.1;但绝不使用TLS 1.0或SSL.
我该如何实现?
- 对于第1点,我已经读过,我应该简单地指定"https://"创建URI对象时;这总是真的吗?
- 对于第2点,我可以对所有
SecurityProtocolType此答案仍然正确吗? - For point 1, I have read I should simply specify "https://" when creating the URI object; is this always true?
- For point 2, I could do a bitwise combination of all the
SecurityProtocolTypeenum, excluding.ssl3and.Tls, but that would also exclude any future technologies (TLS1.4?). Is this answer still true now that the.SystemDefaultfield has been added to the enum?
How can I achieve this?
推荐答案
正如Devs在HttpClient协商从操作系统传递TLS之前所说的那样.特别是在W7中,默认情况下未启用它以允许应用程序正确使用它.
为了解决这个问题,如果您不想在运行应用程序的计算机上更新.NET框架,或者您不对操作系统进行任何更新,则需要更新注册表上的某些项.您可以通过VB.Net中的代码来做到这一点.在下面的示例中,我想向您显示需要更新/设置的键.
另外,如果您获得此代码并创建.reg文件并尝试执行,则可以解决计算机中的问题,但对于分布式应用程序,则需要通过在安装了应用程序的每台计算机中的代码来执行此操作.
请注意,标签v2.0.50727或标签v4.0.30319是计算机上安装的.Net Framework的版本.这意味着您必须先了解所安装的版本(也可以通过注册表或代码来获取),以及是否已在其中一个版本中编译了您的应用程序.您只能更新您的应用程序所使用的版本.
As Devs said before HttpClient negotiate TLS passing from OS. Especially in W7, isn’t enabled by default to permit applications to use that correctly.
In order to resolve that you need to update some keys on registry IF YOU DON’T WANT TO UPDATE .NET FRAMEWORK ON MACHINE WHERE YOUR APP IS RUNNING FOR or you don’t do any update on OS. You can do that by code in VB.Net. In the example below I want to show you THE KEYS which needs to updated/setted.
Also if you get this code and create a .reg file and try to execute you resolve the problem in your machine but for distributed apps you need to do that by code in every machine your app is installed.
Note that, the label v2.0.50727 or the label v4.0.30319 is the version of .Net framework installed on machine. That means you have to known before the version installed (you can get that also by registry or by code) and if your application is compiled in one of those versions. You can update only the version your app is using for.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
这篇关于强制HttpClient强制TSL高于1.0的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
