Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Support for TLS System Default Versions included in the .NET Framework 3.5.1 on Windows 7 SP1 and Server 2008 R2 SP1


View products that this article applies to.

The .NET framework version 3.5.1 and earlier versions did not provide support for applications to use Transport Layer Security (TLS) System Default Versions as a cryptographic protocol. This update enables the use of TLS v1.2 in the .NET Framework 3.5.1.
Note This content has been made available on Windows Update. To obtain the content, scan Windows Update for the latest .NET Framework updates. If your system is fully up to date via Windows Update, you do not need to take further action.

↑ Back to the top


Resolution

Download information

The following files are available for download from the Microsoft Download Center:

Download Download the x86-based package now.

Download Download the x64-based package now.

Download Download the IA64-based package now.

We have made the following improvements in this area:
  • The following registry keys can be set to use the operating system defaults for SSL and TLS instead of the hardcoded .NET Framework defaults for a managed application running on the computer.
    • For 64-bit operating systems:
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
      "SystemDefaultTlsVersions"=dword:00000001

      [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
      "SystemDefaultTlsVersions"=dword:00000001
    • For 32-bit operating systems:
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
      "SystemDefaultTlsVersions"=dword:00000001
    Note If the application has set the ServicePointManager.SecureProtocol in code or through config files to a specific value, or uses the SslStream.AuthenticateAs* APIs to specify a specific SslProtocols enum, the registry setting behavior does not occur.
  • In addition, we have added the SslProtocolsExtensions enumeration that you can use as an option for setting TLS v1.2, TLS v1.1, as well as operating system defaults for the ServicePointManager.SecurityProtocol property when targeting .NET framework version 2.0 SP2. (See the Developer Guidance section for the information on how to use the extensions.)

    Note Windows Vista SP2 and Windows Server 2008 SP2 do not support Transport Layer Security (TLS) protocol versions newer than 1.0. Managed .NET Framework 2.0 SP2 applications running on Windows Vista SP2 or Windows Server 2008 SP2 cannot use TLS 1.2 or TLS 1.1, even if those protocols are set in the ServicePointManager.SecurityProtocol property.

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

↑ Back to the top


Developer Guidance

The definition of the new extensions are in the following files:

  • SecurityProtocolTypeExtensions.cs
    namespace System.Net
    {
    using System.Security.Authentication;
    public static class SecurityProtocolTypeExtensions
    {
    public const SecurityProtocolType Tls12 = (SecurityProtocolType)SslProtocolsExtensions.Tls12;
    public const SecurityProtocolType Tls11 = (SecurityProtocolType)SslProtocolsExtensions.Tls11;
    public const SecurityProtocolType SystemDefault = (SecurityProtocolType)0;
    }
    }
  • SslProtocolsExtensions.cs
    namespace System.Security.Authentication
    {
    public static class SslProtocolsExtensions
    {
    public const SslProtocols Tls12 = (SslProtocols)0x00000C00;
    public const SslProtocols Tls11 = (SslProtocols)0x00000300;
    }
    }
To include the support for TLS v1.2, include the source files in your project, and then set the protocol version by using the following methods:

  • Applications that are using ServicePointManager-based APIs can set the protocol by using the following:

    System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolTypeExtensions.Tls12;
  • Applications that are using the SslStream AuthenticateAsClient(String, X509CertificateCollection, SslProtocols, Boolean) overload can set the SslProtocols value as SslProtocolsExtensions.Tls12.
If the registry setting that is mentioned in the first paragraph is set, and the SslProtocols value is set in the application as SslProtocols.None, the system default behavior that is chosen will depend on the Windows version.

Also, when you change the application code to enable support for TLS v1.2 with .NET Framework 3.5 SP1, you should make sure that you address the following exceptions on computers on which this patch is not deployed:

  1. If the hotfix is not installed, ServicePointManager-based APIs (HTTP, FTP, SMTP) will throw "System.NotSupportedException: The requested security protocol is not supported" when the application calls ServicePointManager.SecurityProtocol to set the new value.
  2. If the hotfix is not installed, SslStream-based APIs will throw exceptions when they call either of the AuthenticateAs* APIs:
    System.ArgumentException: The specified value is not valid in the 'SslProtocolType' enumeration.
    Parameter name: sslProtocolType
Note For SslStream only, a combination of Tls12, Tls11 with any of the existing Tls, Ssl3, Ssl2 (for example: Tls12 | Tls11 | Tls) will silently downgrade to the existing protocols (for example: Tls) on a system without the patch. It will connect to Tls without throwing the exception.

↑ Back to the top


More Information

To enable TLS v1.1 or v1.2 as operating system defaults, follow the instructions at https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx#BKMK_SchannelTR_TLS12.

Note TLS v1.1 and v1.2 are not available in Windows Vista or Windows Server 2008.

If you have to disable the operating system defaults that are set by the registry key that is mentioned in the "Resolution" section for specific applications, you can do this by adding the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\v2.0.50727\System.Net.ServicePointManager.SystemDefaultTlsVersions
<<Full path of the .exe for the file>> DWORD 0
C:\MyApp\MyApp.exe DWORD 0

↑ Back to the top


For more information about TLS v1.2, see Introducing TLS v1.2.

After you enable the SystemDefaultTlsVersions .NET registry key, a different behavior occurs for each version of Windows, as shown in the following table.

Windows versionSSL2 ClientSSL2 ServerSSL3 ClientSSL3 ServerTLS 1.0 ClientTLS 1.0 ServerTLS 1.1 ClientTLS 1.1 ServerTLS 1.2 ClientTLS 1.2 Server
Windows Vista SP2 and Windows Server 2008 SP2OffOnOnOnOnOnN/AN/AN/AN/A
Windows 7 SP1 and Windows Server 2008 R2 SP1OffOnOnOnOnOnOffOffOffOff
Windows Server 2012OffOffOnOnOnOnOnOnOnOn
Windows 8.1 and Windows Server 2012 R2 OffOffOnOnOnOnOnOnOnOn
Windows 10OffOffOnOnOnOnOnOnOnOn
Windows 10 (1511)OffOffOnOnOnOnOnOnOnOn
Windows 10 (1607) and Windows Server 2016N/AN/AOffOffOnOnOnOnOnOn

↑ Back to the top


Keywords: kbfix, kbsurveynew, kbexpertiseadvanced, atdownload, kb

↑ Back to the top

Article Info
Article ID : 3154518
Revision : 3
Created on : 10/22/2018
Published on : 10/23/2018
Exists online : False
Views : 968