+ Start a Discussion
igressigress 

.NET 4.0 TLS 1.0 Encryption

Hi ,
Since Salesforce Disabling TLS 1.0 Encryption, I am using .NET Framework 4.0 Webclient class to connect to salesforce. 

var _webClient=new WebClient();
var content = new System.Collections.Specialized.NameValueCollection
            {
                {"grant_type", "password"},
                {"client_id", clientId},
                {"client_secret", clientSecret},
                {"username", username},
                {"password", password}
            };
var responseBytes = _webClient.UploadValues(tokenRequestEndpointUrl, "POST", content);
var responseBody = Encoding.UTF8.GetString(responseBytes);

I know that System.Net.ServicePointManager.SecurityProtocol (https://msdn.microsoft.com/en-us/library/system.net.securityprotocoltype(v=vs.100).aspx)supports Tls (which is default choice) . But as you look at the link it says it is TLS1.0 protocol. How do I specify TLS1.1 and higher.

I cannot upgrade my existing solution to .NET4.5 since it is a huge undertaking. Is upgrading to .NET4.5 the only way because I see System.Net.ServicePointManager.SecurityProtocol (https://msdn.microsoft.com/en-us/library/system.net.securityprotocoltype(v=vs.110).aspx) supports TLS1.1 and 1.2.

Thanks

Related post: https://developer.salesforce.com/forums/ForumsMain?id=906F0000000BMX0IAO
Best Answer chosen by igress
Daniel BallingerDaniel Ballinger
I don't believe there is a native way to add TLS1.1 or 1.2 support to the .NET 4.0 framework. At least not where it would be less effort than upgrading to .NET 4.5+.

There are a couple of options for .NET 4.0 listed in Are there .NET implementation of TLS 1.2? (http://stackoverflow.com/q/4137106/54026). You would be doing COM to schannel.dll (http://msdn.microsoft.com/en-us/library/aa380516%28v=VS.85%29.aspx) or using a third party product (http://stackoverflow.com/a/4138158/54026).

​In my opinion, upgrading the .NET framework would be less error prone than those approaches.

All Answers

Daniel BallingerDaniel Ballinger
I don't believe there is a native way to add TLS1.1 or 1.2 support to the .NET 4.0 framework. At least not where it would be less effort than upgrading to .NET 4.5+.

There are a couple of options for .NET 4.0 listed in Are there .NET implementation of TLS 1.2? (http://stackoverflow.com/q/4137106/54026). You would be doing COM to schannel.dll (http://msdn.microsoft.com/en-us/library/aa380516%28v=VS.85%29.aspx) or using a third party product (http://stackoverflow.com/a/4138158/54026).

​In my opinion, upgrading the .NET framework would be less error prone than those approaches.
This was selected as the best answer
Steven LawranceSteven Lawrance
As .NET uses the operating system's Secure Channel (Schannel) library for TLS connections, you generally need to run this on an operating system that supports TLS 1.1 or TLS 1.2. The minimum requirements for that are somewhat high, though as the deactivation of TLS 1.0 is partly an industry-wide transition related to the recent payment card industry (PCI) DSS 3.1 standards, it's a transition that many need to go through over the next year.

Windows 7 or higher as well as Windows Server 2008 R2 and higher are required for TLS 1.1 and TLS 1.2 support. Is your operating system at that level or higher? If it's an earlier version of Windows or Windows Server, you will need to upgrade to a newer version to get support for TLS 1.1 and TLS 1.2.

It's possible that your unmodified application may support TLS 1.1 and TLS 1.2 when run in Windows 7 or higher or Windows Server 2008 R2 or higher, though it depends heavily on the details of the .NET library and the application. If the application is specifying the TLS protocols to enable, then it may just remain as TLS 1.0 in Windows 7 or higher or Windows Server 2008 R2 or higher. Hopefully, there is a way to be general about it rather than specifying the exact protocols to use, and I hope that .NET can use the operating system's configured default TLS client settings in that scenario.

The TLS settings at the operating system level are different from the TLS/SSL settings used in Internet Explorer. I created a group policy template at https://www.moonlightdesign.org/TLS-SSL-Protocols last year that can configure the operating system level settings (unofficial and not related to Salesforce), which updates the registry keys in HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\* .
Steven LawranceSteven Lawrance
As an update regarding .NET 4.0, there are two registry settings that enable TLS 1.2 in https connections from .NET 4.0 applications. To enable TLS 1.2, it is possible to set the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319". Those registry keys, however, will enable TLS 1.2 in all installed .NET 4.0 applications on that system. This is also available as a registry import file at https://sha2test.salesforce.com/s/NET40-Enable-TLS-1_2.reg .
Santiago PerezSantiago Perez
Hello Steve, thanks for all the great info. I'm running a .net 4.0 app POC on windows 7 and ran your reg import file but still have the error message. Is it really just those two registry entries that are need or is there any work needed on config?