Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Cannot connect to a server by using the ServicePointManager or SslStream APIs after upgrade to the .NET Framework 4.6


View products that this article applies to.

Symptoms

Assume that you have upgraded to Microsoft .NET Framework 4.6 on your computer. When you use an application that uses SSL 3.0 together with ServicePointManager or SslStream APIs to connect to a server, the connection fails.

↑ Back to the top


Cause

This issue occurs because the default set of SSL/TLS protocols that is used by ServicePointManager and SslStream was changed.

Old value: Ssl 3.0 | Tls 1.0 | Tls 1.1

New value: Tls 1.0 | Tls 1.1 | Tls 1.2

↑ Back to the top


Workaround

To work around this issue, update the server to Tls 1.0, Tls 1.1, or Tls 1.2 because SSL 3.0 has been shown to be unsecure and vulnerable to attacks such as POODLE.

Note If you cannot update the server, use AppContext class to opt out of this feature. To do this, use one of the following methods:
  • Programmatically: Must be the very first thing the application does because ServicePointManager will initialize only once. Use the following code example in your application:
    private const string DisableCachingName = @"TestSwitch.LocalAppContext.DisableCaching";
    private const string DontEnableSchUseStrongCryptoName = @"Switch.System.Net.DontEnableSchUseStrongCrypto";
    AppContext.SetSwitch(DisableCachingName, true);
    AppContext.SetSwitch(DontEnableSchUseStrongCryptoName, true);
  • By using the AppConfig file for your application: Add the following line to the Appconfig file:
    <AppContextSwitchOverrides value="Switch.System.Net.DontEnableSchUseStrongCrypto=true"/>


For more information about the known issues in the .NET Framework 4.6, see Known issues for the .NET Framework 4.6 .

↑ Back to the top


More Information

For more information about the product versioning changes and impact in the .NET Framework 4.6, see Application Compatibility in the .NET Framework 4.6.

Notes
  • The new configuration will only apply when the application is targeting the .NET Framework 4.6. The .NET Framework 4.5.2 and earlier versions will not be affected even if they run in a .NET Framework 4.6 environment.
  • A list of affected top-level APIs:
    • HttpClient, HttpWebRequest
    • FtpClient
    • SmtpClient
    • SslStream
  • SCH_USE_STRONG_CRYPTO This flag is going to be automatically used in the .NET Framework 4.6 and affects behavior by removing unsafe cryptographic and hashing algorithms. For all operating system platforms earlier than Windows 10, the RC4 algorithm will be removed from use. From Windows 10, the following additional unsafe algorithms will be removed: DES, NULL, EXPORT and MD5

↑ Back to the top


Keywords: kbsurveynew, kbtshoot, kbexpertiseadvanced, kb

↑ Back to the top

Article Info
Article ID : 3069494
Revision : 1
Created on : 1/7/2017
Published on : 7/20/2015
Exists online : False
Views : 346