.NET 4.5 中的默认安全协议 [英] Default SecurityProtocol in .NET 4.5

问题描述

与最高支持 TLS 1.2 的服务器通信的默认安全协议是什么?.NET 会默认选择服务器端支持的最高安全协议还是我必须明确添加这行代码:

What is the default security protocol for communicating with servers that support up to TLS 1.2? Will .NET by default, choose the highest security protocol supported on the server side or do I have to explicitly add this line of code:

System.Net.ServicePointManager.SecurityProtocol = 
SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

除了更改代码之外，还有其他方法可以更改此默认设置吗?

Is there a way to change this default, besides a code change?

最后，.NET 4.0 是否只支持 TLS 1.0?即我必须将客户端项目升级到 4.5 以支持 TLS 1.2.

Lastly, does .NET 4.0 only support up to TLS 1.0? i.e. I have to upgrade client projects to 4.5 to support TLS 1.2.

我的动机是在客户端删除对 SSLv3 的支持，即使服务器支持它(我已经有一个 powershell 脚本在机器注册表中禁用它)并支持最高的 TLS 协议服务器支持.

My motivation is to remove support for SSLv3 on the client side even if server supports it (I already have a powershell script to disable this in the machine registry) and to support the highest TLS protocol that the server supports.

更新:查看 .NET 4.0 中的 ServicePointManager 类，我看不到 TLS 1.0 和 1.1 的枚举值.在 .NET 4.0/4.5 中，默认为 SecurityProtocolType.Tls|SecurityProtocolType.Ssl3.希望在注册表中禁用 SSLv3 不会破坏此默认设置.

Update: Looking at the ServicePointManager class in .NET 4.0 I see no enumerated values for TLS 1.0 and 1.1. In both .NET 4.0/4.5, the default is SecurityProtocolType.Tls|SecurityProtocolType.Ssl3. Hopefully this default won't break by disabling SSLv3 in the registry.

但是，我决定必须将所有应用程序升级到 .NET 4.5 并明确添加 SecurityProtocolType.Tls |安全协议类型.Tls11 |SecurityProtocolType.Tls12; 无论如何，所有应用程序的所有引导代码.

However, I've decided I have to upgrade all apps to .NET 4.5 and to explicitly add SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12; anyway to all bootstrapping code of all applications.

这将使对各种api和服务的出站请求不降级到SSLv3，并应选择最高级别的TLS.

This will make outbound requests to various apis and services to not downgrade to SSLv3 and should select the highest level of TLS.

这种方法听起来合理还是矫枉过正?我有许多应用程序需要更新，我想在未来证明它们，因为我听说即使 TLS 1.0 可能在不久的将来被某些提供商弃用.

Does this approach sound reasonable or overkill? I have many applications to update, and I want to future proof them since I hear even TLS 1.0 may be deprecated in the near future by some providers.

作为向 API 发出出站请求的客户端，在注册表中禁用 SSL3 是否对 .NET 框架也有影响?我看到默认情况下，TLS 1.1 和 1.2 未启用，我们是否必须通过注册表启用它?RE http://support.microsoft.com/kb/245030.

As a client making outbound requests to APIs, does disabling SSL3 in the registry even have an effect in the .NET framework? I see by default, TLS 1.1 and 1.2 are not enabled, do we have to enable it via the registry? RE http://support.microsoft.com/kb/245030.

经过一番调查，我相信注册表设置不会有任何影响，因为它们适用于 IIS(服务器子项)和浏览器(客户端子项).

After a bit of investigation, I believe the registry settings will have no affect since they apply to IIS (server subkey) and browsers (client subkey).

抱歉，这篇文章变成了多个问题，随后是可能"的答案.

Sorry this post turned into multiple questions, followed up with "maybe" answers.

推荐答案

一些对其他答案发表评论的人指出，将 System.Net.ServicePointManager.SecurityProtocol 设置为特定值意味着您的应用程序将无法利用未来的 TLS 版本，这些版本可能会成为 .NET 未来更新中的默认值.执行以下操作，而不是指定固定的协议列表:

Some of the those leaving comments on other answers have noted that setting System.Net.ServicePointManager.SecurityProtocol to specific values means that your app won't be able to take advantage of future TLS versions that may become the default values in future updates to .NET. Instead of specifying a fixed list of protocols, do the following:

对于 .NET 4.7 或更高版本，不要设置 System.Net.ServicePointManager.SecurityProtocol.默认值 (SecurityProtocolType.SystemDefault) 将允许操作系统使用它知道和配置的任何版本，包括在创建应用程序时可能不存在的任何新版本.

For .NET 4.7 or later, do not set System.Net.ServicePointManager.SecurityProtocol. The default value (SecurityProtocolType.SystemDefault) will allow the operating system to use whatever versions it knows and has been configured for, including any new versions that may not have existed at the time the app was created.

对于 .NET Framework 的早期版本，您可以改为打开或关闭您知道和关心的协议，让其他协议保持原样.

For earlier versions of .NET Framework, you can instead turn on or off protocols you know and care about, leaving any others as they are.

要在不影响其他协议的情况下开启 TLS 1.1 和 1.2:

To turn on TLS 1.1 and 1.2 without affecting other protocols:

System.Net.ServicePointManager.SecurityProtocol |= 
    SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

注意使用 |= 打开这些标志而不关闭其他标志.

Notice the use of |= to turn on these flags without turning others off.

要在不影响其他协议的情况下关闭 SSL3:

To turn off SSL3 without affecting other protocols:

System.Net.ServicePointManager.SecurityProtocol &= ~SecurityProtocolType.Ssl3;

这篇关于.NET 4.5 中的默认安全协议的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！