问题
We are trying to enforce TLS 1.2 in our WCF Service.
We have our WCF Service hosted on IIS on our VM Boxes.
We are not sure how to disable TLS 1.0 and TLS 1.1 for our service.
We have tried the following approach:
Configuration change in our WCF Service (Server side) and (client side)** –
For the client side, we added the following code in our main method –
Remove insecure protocols (SSL3, TLS 1.0, TLS 1.1)
ServicePointManager.SecurityProtocol &= ~SecurityProtocolType.Ssl3;
ServicePointManager.SecurityProtocol &= ~SecurityProtocolType.Tls;
ServicePointManager.SecurityProtocol &= ~SecurityProtocolType.Tls11;
// Add TLS 1.2, 1.3
ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12;
ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls13;
We have verified that this works on the client side, i.e., the client uses only TLS 1.2 to send requests after this config.
But the same configuration on our Server side WCF service does not work.
We have written this config change inside global.asax file inside Application_Start method for our
server, but the WCF Service hosted on IIS Server still accepts TLS 1.0/1.1 requests.
We have tried another method where we did registry key changes on Windows Server to disable TLS 1.0, TLS 1.1 for the whole VM box.
The blocker for going with this method is that there are many other services on our VM,
which might get affected if we do a configuration change on the whole server.
Is there any working method wherein we change the configuration of our WCF Service to disable serving TLS 1.0/1.1 requests on the service level?
Any help would be appreciated. :-)
回答1:
At first, we had better not specify the TLS version manually, just let the OS decide on the TLS version. Please check the official document of TLS best practices.
https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls
Provided that OS and project’s SDK support TLS1.2(it needs prerequisites, Dotnet4.6.1+,win7+),We could specify the TLS version used during the communication by the below code on the client-side.
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
ServiceReference1.ServiceClient client = new ServiceReference1.ServiceClient();
Besides, modifying the Windows registry can disable certain version protocols.
Please refer to the below link.
https://serverfault.com/questions/733994/how-to-disable-tls-1-0-in-windows-2012-rdp
https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
Feel free to let me know if there is anything I can help with.
来源:https://stackoverflow.com/questions/59299317/wcf-service-tls-1-2-enforcement