I need to POST JSON data to a TLS 1.2 Endpoint. I would like to have the SecurityProtocol specified in the App.config instead of being hardcoded in the source and do not want to set the registry of the machine to disable TLS 1.1.
If you do not specify the SecurityProtocol the underlying OS protocols are used but they seem to default to the least secure instead of the most secure. Because I have multiple services running from the machine I cannot set the OS to only use TLS1.2, but I still want this specific client to use TLS 1.2, and when TLS 1.3 comes out be able to modify it through application specific configuration.
This question explains how to do it via code: How to specify SSL protocol to use for WebClient class
This question explains how to do it via Registry settings for the entire machine: Are there .NET implementation of TLS 1.2?
// this is what I want to avoid
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocol.Tls12;
System.Net.HttpWebRequest request = (System.Net.HttpWebRequest)System.Net.HttpWebRequest.Create(url);
using (System.IO.StreamWriter sw = new System.IO.StreamWriter(request.GetRequestStream()))
{
sw.write(json);
}
System.Net.HttpWebResponse response = (System.Net.HttpWebResponse)request.GetResponse();
using System.IO.StreamReader sr = new System.IO.StreamReader(response.GetResponseStream()))
{
content = sr.ReadToEnd();
}
I do not have anything in my App.config for this client currently but that is what I would like to change.
I have found that there is a sslStreamSecurity element inside system.serviceModel, but I believe this is for ServiceReferences, not normal HttpWebRequest. I believe that is covered under system.net but I can't find an equivalent.
<system.serviceModel>
<bindings>
<customBinding>
<binding name="myBinding">
<sslStreamSecurity sslProtocls="Tls12">
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="https://myserver.com" binding="customBinding" bindingConfiguration="myBinding" name="myEndpoint" />
</client>
</system.ServiceModel>
I am fairly open to using something other than HttpWebRequest/HttpWebResponse but would like to stay away from installing third party packages. I started down a path with System.Net.Http.HttpClient
which seems newer than HttpWebRequest but quickly ran into the same issues.
For now I have put an integer value in the App.config that specifies the enum value to set System.Net.ServicePointManager.SecurityProtocol
to. I still think there may be a more elegant way to do this and look forward to other answers. I was guided in this direction by https://stackoverflow.com/a/35325333/5221761
int securityProtocol = Convert.ToInt32(ConfigurationManager.AppSettings["SecurityProtocol"]);
try
{
System.Net.ServicePointManager.SecurityProtocol = (System.Net.SecurityProtocolType)securityProtocol;
}
catch(Exception ex)
{
Console.WriteLine("Could not setup SecurityProtocol. Try a different integer value: " + ex.Message);
foreach (System.Net.SecurityProtocolType protocolType in Enum.GetValues(typeof(System.Net.SecurityProtocolType)))
{
Console.WriteLine(string.Foramt("SecurityProtocol: {0} - {1}", protocolType.ToString(), (int)protocolType));
}
}
App.config:
<appSettings>
<add key="SecurityProtocol" value="3072" />
</appSettings>