Disabling TLS 1.0 breaks ASP.NET application

Question

Running on Windows Server 2012R2

I am trying to disable TLS 1.0 on IIS because client has a site scanner which highlights that as a security problem.

I have a clean test server set up and App is running fine until I disable TLS 1.0.

I updated all the appropriate settings:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

In the event viewer, I get:

A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 70. The Windows SChannel error state is 105.

If I revert the registry settings just for TLS 1.0 (Enabled, not DisabledByDefault), everything is fine again.

Using in system.web:

<httpRuntime targetFramework="4.7.2" />

What am I missing?

Since you have disabled TLS 1.0, code needs to be updated to communicate over TLS 1.2 Following line of code can be added before making a request to service hosted on your server System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; — Mohsin Mehmood, May 14 '18 at 20:54
@MohsinMehmood this is a regular web app. Site is being access through IE. When site is running with TLS 1.0 enabled, it still shows that IE has connected over TLS 1.2. — Cade Roux, May 14 '18 at 21:03
Use IISCrypto tool to ensure that TLS 1.2 is enabled. This tool will provide a nice GUI for enabling multiple versions of TLS. Also, test your website using https://www.ssllabs.com/ssltest/ — Mohsin Mehmood, May 14 '18 at 21:11
@MohsinMehmood Yes. That is how I generated the registry change file for my client and for scripting the setup changes and reversions. I also used the Qualys scanner to verify why they are seeing the site reported for TLS 1.0 vulnerability through scans even though all browsers are negotiating their connections at TLS 1.2. However, neither of those things resolve the issue with IIS. — Cade Roux, May 14 '18 at 21:19
Check which .NET Framework version is installed. Only a later version reads system default for TLS setup. If you want to stick to an old release, the source code must be changed to switch to TLS 1.2 default. https://learn.microsoft.com/en-us/dotnet/framework/whats-new/ — Lex Li, May 14 '18 at 23:11
@LexLi 4.7.1 is installed, I am going to look at putting on 4.7.2 right now. — Cade Roux, May 15 '18 at 13:03
I would try to get ASP.Net out of the loop by testing a simple website with a static file. This is could easily be an IIS problem. — Martin Liversage, May 16 '18 at 22:47
Try to disable TLS 1.0 only for the server. After all that is what the scanner detected. I guess that even if the client 1.0 is enabled, it will still attempt an 1.2 connection. — edixon, May 21 '18 at 11:59
@MartinLiversage I made a simple test.html page in the same folder, and it loads fine - properties shows it is loaded over https. — Cade Roux, May 25 '18 at 21:09
@edixon It appears that potentially the SQL Server connection is the issue. I re-enabled 1.0 client and have better results. Now to test same change in clientproduction environment. — Cade Roux, May 25 '18 at 22:30

score 9 · Answer 1 · answered May 23 '18 at 15:58

9

The application itself must be updated to support TLS 1.2 handshakes, so it's not something you can necessarily change if you only have access to configuration. If the underlying code does not support it, it will not work.

If the code targets .NET 4.6, I believe, TLS 1.2 will work natively. In 4.5, a line of code must be put in place such that it is executed before any networking occurs. The code:

System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12

answered May 23 '18 at 15:58

hurlman

366
3
6

1

This has no effect because the schannel issue happens before code is run in for example the global.asax. – Cade Roux May 25 '18 at 12:57
1

Everything up the whole stack needs to support TLS 1.2. The OS, IIS, SQL, and the application. – HackSlash May 25 '18 at 21:23

C.M. · Accepted Answer · 2018-05-29T23:25:49.177

4

Your site could be communicating with something over SSL that doesn't support TLS 1.1+. You could allow outgoing TLS 1.0 connections which the site scanner wouldn't see, but these connections would be less secure.

edited May 29 '18 at 23:25

answered May 23 '18 at 19:21

C.M.

1,474
13
16

From the detailed logging, I only see successful connections at TLS 1.2, and there are no further details that this failure comes from trying to communicate externally (which the site does not do). – Cade Roux May 25 '18 at 21:05
Ultimately, I think this was the cause - the internal outbound SQL Server connection was being forced to TLS 1.2 and the SQL Server didn't support that. – Cade Roux Aug 01 '18 at 20:44

Vallemar · Answer 3 · 2020-06-22T16:15:00.113

If you are using .net 4.7 or higher try this.

I have used IIS Crypto for this. You disable TLS 1.0 and 1.1, apply and restart. After this all your applications, SharePoints and sites will use TLS 1.2

You should also indicate the destination version in your web.config file

<system.web>
   <httpRuntime targetFramework = "4.7.2" />
   <compilation targetFramework = "4.7.2"> </compilation>
</system.web>

This will make it support TLS 1.2 and also always force this protocol.

score 1 · Answer 4 · answered May 22 '18 at 21:49

1

Have you tried to enable schannel logging to get more info?

https://support.microsoft.com/en-us/help/260729/how-to-enable-schannel-event-logging-in-iis

Hope that will reveal the missing piece.

answered May 22 '18 at 21:49

frostshoxx

538
1
7
24

I set logging to 7, and there are a number of successful information-level messages around the error message posted above: An SSL client handshake completed successfully. The negotiated cryptographic parameters are as follows. Protocol: TLS 1.2 CipherSuite: 0xC028 Exchange strength: 256 – Cade Roux May 25 '18 at 21:02
Also: An SSL server handshake completed successfully. The negotiated cryptographic parameters are as follows. Protocol: TLS 1.2 CipherSuite: 0xC028 Exchange strength: 256 – Cade Roux May 25 '18 at 21:03

Disabling TLS 1.0 breaks ASP.NET application

4 Answers4