WCF 服务 TLS 1.2 实施 [英] WCF Service TLS 1.2 Enforcement
问题描述
我们正在尝试在我们的 WCF 服务中强制实施 TLS 1.2.
我们的 WCF 服务托管在我们的 VM Box 上的 IIS 上.我们不确定如何为我们的服务禁用 TLS 1.0 和 TLS 1.1.我们尝试了以下方法:
We are trying to enforce TLS 1.2 in our WCF Service.
We have our WCF Service hosted on IIS on our VM Boxes.
We are not sure how to disable TLS 1.0 and TLS 1.1 for our service.
We have tried the following approach:
我们的 WCF 服务(服务器端)和(客户端)中的配置更改** –
Configuration change in our WCF Service (Server side) and (client side)** –
对于客户端,我们在主方法中添加了以下代码——
For the client side, we added the following code in our main method –
Remove insecure protocols (SSL3, TLS 1.0, TLS 1.1)
ServicePointManager.SecurityProtocol &= ~SecurityProtocolType.Ssl3;
ServicePointManager.SecurityProtocol &= ~SecurityProtocolType.Tls;
ServicePointManager.SecurityProtocol &= ~SecurityProtocolType.Tls11;
// Add TLS 1.2, 1.3
ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12;
ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls13;
<小时>
我们已经验证这在客户端有效,即客户端在此配置后仅使用 TLS 1.2 发送请求.但是在我们的服务器端 WCF 服务上相同的配置不起作用.我们已经在 Application_Start 方法中的 global.asax 文件中为我们的服务器,但托管在 IIS 服务器上的 WCF 服务仍接受 TLS 1.0/1.1 请求.
我们尝试了另一种方法,在 Windows Server 上更改注册表项以禁用整个 VM 框的 TLS 1.0、TLS 1.1.使用这种方法的障碍是我们的 VM 上还有许多其他服务,如果我们在整个服务器上进行配置更改,这可能会受到影响.
We have verified that this works on the client side, i.e., the client uses only TLS 1.2 to send requests after this config.
But the same configuration on our Server side WCF service does not work.
We have written this config change inside global.asax file inside Application_Start method for our
server, but the WCF Service hosted on IIS Server still accepts TLS 1.0/1.1 requests.
We have tried another method where we did registry key changes on Windows Server to disable TLS 1.0, TLS 1.1 for the whole VM box.
The blocker for going with this method is that there are many other services on our VM,
which might get affected if we do a configuration change on the whole server.
是否有任何工作方法可以让我们更改 WCF 服务的配置以在服务级别禁用 TLS 1.0/1.1 请求?
任何帮助将不胜感激.:-)
Is there any working method wherein we change the configuration of our WCF Service to disable serving TLS 1.0/1.1 requests on the service level?
Any help would be appreciated. :-)
推荐答案
一开始我们最好不要手动指定 TLS 版本,让 OS 决定 TLS 版本.请查看 TLS 最佳实践的官方文档.
https://docs.microsoft.com/en-us/dotnet/framework/网络编程/tls
如果OS和项目的SDK支持TLS1.2(需要先决条件,Dotnet4.6.1+,win7+),我们可以在客户端通过下面的代码指定通信时使用的TLS版本.
At first, we had better not specify the TLS version manually, just let the OS decide on the TLS version. Please check the official document of TLS best practices.
https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls
Provided that OS and project’s SDK support TLS1.2(it needs prerequisites, Dotnet4.6.1+,win7+),We could specify the TLS version used during the communication by the below code on the client-side.
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
ServiceReference1.ServiceClient client = new ServiceReference1.ServiceClient();
此外,修改 Windows 注册表可以禁用某些版本协议.请参考以下链接.
https://serverfault.com/questions/733994/how-to-disable-tls-1-0-in-windows-2012-rdp
https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
如果有什么我可以帮忙的,请随时告诉我.
Besides, modifying the Windows registry can disable certain version protocols.
Please refer to the below link.
https://serverfault.com/questions/733994/how-to-disable-tls-1-0-in-windows-2012-rdp
https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
Feel free to let me know if there is anything I can help with.
这篇关于WCF 服务 TLS 1.2 实施的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
