Transport Layer Security (TLS) best practices with the .NET Framework

TLS best practices with .NET Framework


TLS 1.0 is a security protocol first defined in 1999 for establishing encryption channels over computer networks.  Microsoft has supported this protocol since Windows XP/Server 2003.  While no longer the default security protocol in use by modern OSes, TLS 1.0 is still supported for backwards compatibility.  Evolving regulatory requirements as well as new security vulnerabilities in TLS 1.0 provide corporations with the incentive to disable TLS 1.0 entirely. 

TLS 1.2 is a standard that provides security improvements over previous versions. TLS 1.2 will eventually be replaced by the newest released standard TLS 1.3 which is faster and has improved security. 

To ensure .NET Framework applications remain secure, the TLS version should not be hardcoded. .NET Framework applications should use the TLS version the operating system (OS) supports.

With TLS 1.2/1.3 change impact the source code uses the following namespace/library/classes.


Following best practices suggested.
  • For TLS 1.2, target .NET Framework 4.7 or later versions on your apps, and target .NET Framework 4.7.1 or later versions on your WCF apps.
  • For TLS 1.3, target .NET Framework 4.8 or later.
  • Do not specify the TLS version. Configure your code to let the OS decide on the TLS version.
  • Perform a thorough code audit to verify you're not specifying a TLS or SSL version.
  • For .NET Framework 4.6 - 4.6.2 and not WCF Set the DontEnableSystemDefaultTlsVersions AppContext switch to false.
  • If you are running on .NET Framework 3.5, you need to install a hot patch so that TLS 1.2 can be specified by your program:

When your app lets the OS choose the TLS version:

  • It automatically takes advantage of new protocols added in the future, such as TLS 1.3.
  • The OS blocks protocols that are discovered not to be secure.




Ref :-
https://docs.microsoft.com/

Comments

Popular posts from this blog

OutSystems – A Low-code Development Platform

What is difference between Azure Cognitive Search and Elastic Search

failed to access iis metabase asp.net