This article answers addition hidden TLS behavior mysteries relating to .NET Framework 3.5x & 4.7 compiled Apps, and what to expect.
Registry Settings & Ideal TLS Behavior
When SystemDefaultTlsVersions registry key is enabled (either an AppContext switch*, or by the Windows Registry), the .NET Framework compiled application relies on the platform or OS to negotiate TLS. The highest supported TLS version is always preferred in the TLS handshake.
Available for .NET Framework Versions: 4.8, 4.7.2, 4.7.1, 4.7, 3.5 and 3.5.1
With .NET 4.7 (and greater) application versions, there is a new built-in default behavior which changes how TLS negotiates. .NET 4.7 applications now rely on SCHANNEL to negotiate TLS protocols (on it’s behalf). This particular behavior varies from earlier versions as they instruct SCHANNEL to negotiate using a predefined set of TLS Protocols.
This default behavior can be turned off by disabling SystemDefaultTlsVersions via the system registry. This will force .NET 4.7 (and greater) applications to utilize internal TLS protocol capabilities (not recommended).
Although .NET 4.7 (and greater) application versions rely on SCHANNEL to negotiate TLS protocols, SchUseStrongCrypto by default partially remains in effect – meaning use of weak cryptography ciphers are disabled. (see 4.7 & above default behavior)
A patch is available for .NET 3.5x allowing SystemDefaultTlsVersions to be enabled via the system registry.
Recommendation – TLS Behavior
Due to the fact that nearly all Microsoft business productivity systems (i.e. workstations and servers) invariably maintains a mixture and number of varying installed .NET application, it is HIGHLY recommended to level-set (via GPOs) SystemDefaultTlsVersions across ALL Windows platforms.
Level-setting SystemDefaultTlsVersions in the registry provides two important benefits:
- Forces .NET 3.5x and .NET 4.7 (and greater) application versions to rely on the Platform or OS (SCHANNEL) to negotiate TLS protocol
- Avoids variances and tampering of TLS behavior
- Value of 1 causes your app to allow the operating system to choose or negotiate the TLS protocol
- Value of 0 causes the compiled application to use protocols picked by the .NET Framework
.NET Version TLS Behavior
SystemDefaultTlsVersions is available for the following versions of:
- .NET applications 3.5 – 3.5.1 (disabled by default)
- .NET applications 4.7 – 4.8+ (enabled by default)
- .NET 3.5 and 3.5.1 compiled applications can make use of SystemDefaultTlsVersions registry setting. It is however undefined by default (not enabled)
- .NET Framework compiled application version 4.7 or greater (by default) relies on the Secure Channel (SCHANNEL) to negotiate TLS, and ignores it’s built-in defined TLS protocols settings – AppContext switch can override this setting
*Note: AppContext switch is available for .Net Framework Versions 4.8, 4.7.2, 4.7.1, 4.7, 4.6.2, 4.6.1 and 4.6
Notes: The .NET framework version 3.5 and earlier versions did not provide support for applications to use Transport Layer Security (TLS) System Default Versions as a cryptographic protocol. This update enables the use of TLS v1.2 in the .NET Framework 3.5. (update link)
Windows Registry Settings
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] – “SystemDefaultTlsVersions”=dword:00000001
- [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319] – “SystemDefaultTlsVersions”=dword:00000001
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] – “SystemDefaultTlsVersions”=dword:00000001
- [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727] – “SystemDefaultTlsVersions”=dword:00000001
Anyway, I hope this provides a bit more light on this particular setting.
SHAWN MAY – DTS Inc. | Principal Architect & CEO | shawn@yourDTS.com
Dynamic Technical Solutions is one of the best in the business. I had the pleasure of working and learning a great deal from their team members in the past four years. DTS’ work ethic is unlike any I have ever seen. I have always known them to follow through until the job is completed correctly.
R.T., Senior IT Infrastructure & Ops Manager, E-470 Public Highway Authority
I had a pleasure working with Dynamic Technical Solutions very closely on a very complex, critical project with a lot of moving parts and unknowns. Not only did DTS quickly grasped all the complexities of the project, they helped bring clarity and order to it. Their dedication and professionalism are tremendous. They are team members whom you can always count on to be there and deliver what’s required and then some. Their technical abilities have allowed us to develop and implement great solutions. DTS’ understanding of IT security helped us not only come up with a robust technical solution, but also a very secure one. I’ll gladly work with them any time again.
I.S., VP Technology at Barclays Capital
I have had the pleasure of working with Dynamic Technical Solutions over the last year servicing the same customer. DTS demonstrates an exceptional technical aptitude, attention to detail and work ethic that makes their service delivery extraordinary. Anyone requiring solid directory services architectural or technical guidance will benefit from what DTS brings to the table. I recommend their work.
N.K., Microsoft - Senior Technical Account Manager
I had the pleasure of working with Dynamic Technical Solutions at The Children's Hospital and found them to be an extremely knowledgeable in respect to Microsoft Windows Engineering. Their precision, dedication, thoroughness and understanding in Microsoft Active Directory design and support are impeccable. They take pride in continuously learning, adapting and implementing all of the knowledge they possess and have shown such aptitude in technical writings of Kerberos, DNS and Microsoft products as a whole. I would welcome the opportunity of working with DTS again and hope to do so in the future.
M.D., The Children's Hospital
We contracted with DTS to perform an upgrade/migration of our existing Active Directory and Exchange environments onto new equipment. The entire process was extremely painless and we were very happy with the results. I can honestly say that our DTS consultants exceeded our expectations. It took less time than we had anticipated, and some of the issues we were afraid of running into did occur, but our DTS consultants were very quick at finding a working solution.
DTS is technically competent, their work is very thorough, and their attention to detail is the best I have seen. I would not hesitate in recommending Dynamic Technical Solutions to anyone looking for Microsoft professionals.
R.B. Information Technology Director, Colorado City Government – Town of Vail
CH2M Hill is a $5B IT and engineering firm based in Denver, Colorado. CH2M Hill has utilized DTS for complex IT management and support projects. During the time that DTS supported our efforts for one of our customers (a Fortune 500 company), their consultant exhibited significant technical competencies. Furthermore, our DTS consultant is a professional, receiving high marks from the customer for program management as well as communication skills.
Director of Business Development, CH2M Hill
- Implementing correct solutions
- Bringing the correct talent (professional-staff-augmentation or project team)
- Alignment to the business functional & functional direction
- Maintaining agility with communication and options
- Ensure to have a properly scoped project and accurate roadmap eliminating fluff