Forcing HttpClient to enforce TSL higher than 1.0

问题

My WPF app connects to an Azure Web API. The endpoints will be configured to deny access to any non secured (HTTP) or weakly secured (HTTPS with TLS 1.0 or older) requests. But I also want my App to never even try sending non secured or weakly secured requests.

Microsoft recommends here and there to target the Framework 4.7 and to leave ServicePointManager.SecurityProtocol to its default value so that the OS determines what protocol to use.

The second article I mentioned also indicates Windows 7 will rely on TLS 1.0, just a few lines after having highly recommended not to rely upon TLS 1.0. So I understand I can trust the OS to get the best layer of security it has available, but cannot trust the OS for not sending a request if the best option is still a bad option.

My App relies on System.Net.Http.HttpClient. I would like to make sure that the calls I make through this client are:

1. Always secured. That is, always use HTTPS, never use HTTP.
2. Always secured to a sufficient level. That is, rely at least on TLS 1.1; but never TLS 1.0 or SSL.

How can I achieve this?

• For point 1, I have read I should simply specify "https://" when creating the URI object; is this always true?
• For point 2, I could do a bitwise combination of all the SecurityProtocolType enum, excluding .ssl3 and .Tls, but that would also exclude any future technologies (TLS1.4?). Is this answer still true now that the .SystemDefault field has been added to the enum?

回答1:

As Devs said before HttpClient negotiate TLS passing from OS. Especially in W7, isn’t enabled by default to permit applications to use that correctly. In order to resolve that you need to update some keys on registry IF YOU DON’T WANT TO UPDATE .NET FRAMEWORK ON MACHINE WHERE YOUR APP IS RUNNING FOR or you don’t do any update on OS. You can do that by code in VB.Net. In the example below I want to show you THE KEYS which needs to updated/setted. Also if you get this code and create a .reg file and try to execute you resolve the problem in your machine but for distributed apps you need to do that by code in every machine your app is installed. Note that, the label v2.0.50727 or the label v4.0.30319 is the version of .Net framework installed on machine. That means you have to known before the version installed (you can get that also by registry or by code) and if your application is compiled in one of those versions. You can update only the version your app is using for.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

来源：https://stackoverflow.com/questions/58857996/forcing-httpclient-to-enforce-tsl-higher-than-1-0