+ Start a Discussion

.NET 4.0 C# Webclient - Salesforce Disabling TLS 1.0 Encryption

Hi ,
Since Salesforce Disabling TLS 1.0 Encryption, I am using .NET Framework 4.0 Webclient class to connect to salesforce. 

var _webClient=new WebClient();
var content = new System.Collections.Specialized.NameValueCollection
                {"grant_type", "password"},
                {"client_id", clientId},
                {"client_secret", clientSecret},
                {"username", username},
                {"password", password}
var responseBytes = _webClient.UploadValues(tokenRequestEndpointUrl, "POST", content);
var responseBody = Encoding.UTF8.GetString(responseBytes);

I know that System.Net.ServicePointManager.SecurityProtocol (https://msdn.microsoft.com/en-us/library/system.net.securityprotocoltype(v=vs.100).aspx)supports Tls (which is default choice) . But as you look at the link it says it is TLS1.0 protocol. How do I specify TLS1.1 and higher.

I cannot upgrade my existing solution to .NET4.5 since it is a huge undertaking. Is upgrading to .NET4.5 the only way because I see System.Net.ServicePointManager.SecurityProtocol (https://msdn.microsoft.com/en-us/library/system.net.securityprotocoltype(v=vs.110).aspx) supports TLS1.1 and 1.2.

Steven LawranceSteven Lawrance
As .NET uses the operating system's Secure Channel (Schannel) library for TLS connections, you generally need to run this on an operating system that supports TLS 1.1 or TLS 1.2. The minimum requirements for that are somewhat high, though as the deactivation of TLS 1.0 is partly an industry-wide transition related to the recent payment card industry (PCI) DSS 3.1 standards, it's a transition that many need to go through over the next year.

Windows 7 or higher as well as Windows Server 2008 R2 and higher are required for TLS 1.1 and TLS 1.2 support. Is your operating system at that level or higher? If it's an earlier version of Windows or Windows Server, you will need to upgrade to a newer version to get support for TLS 1.1 and TLS 1.2.

It's possible that your unmodified application may support TLS 1.1 and TLS 1.2 when run in Windows 7 or higher or Windows Server 2008 R2 or higher, though it depends heavily on the details of the .NET library and the application. If the application is specifying the TLS protocols to enable, then it may just remain as TLS 1.0 in Windows 7 or higher or Windows Server 2008 R2 or higher. Hopefully, there is a way to be general about it rather than specifying the exact protocols to use, and I hope that .NET can use the operating system's configured default TLS client settings in that scenario.

The TLS settings at the operating system level are different from the TLS/SSL settings used in Internet Explorer. I created a group policy template at https://www.moonlightdesign.org/TLS-SSL-Protocols last year that can configure the operating system level settings (unofficial and not related to Salesforce), which updates the registry keys in HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\* .
Steven LawranceSteven Lawrance
It's likely that the application is specifying the protocols to enable, such as if it is setting System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls. If it is doing that, then commenting out that code may allow it to use the registry settings. Another potential option is to set System.Net.ServicePointManager.SecurityProtocol to the numeric value of (SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls) casted into a SecurityProtocol. It's probably easiest to try commenting out all assignments to System.Net.ServicePointManager.SecurityProtocol in the application so that the registry setting has a chance to enable TLS 1.2 in the application's connections.