Specifying SSL/TLS for System.Net.HttpWebRequest through App.config
It is possible to alter the TLS settings for an application targeting <.net-4.6 without recompiling it by editing its app.config
as long as you are running it on ≥.net-4.6. This is documented in “Transport Layer Security (TLS) best practices with the .NET Framework”.
When Microsoft developed .net-4.6 as an in-place replacement for .net-4.5, they wanted to make behavior changes including bugfixes, security improvements, etc.. But they did not want to break apps targeting .net-4.5 which relied on old behaviors—even buggy ones (it is quite common for old code to rely on buggy behavior and Microsoft’s .net team cares to the point of purposefully preserving bugs for the sake of compatibility). To do this, starting with .net-4.6 and continuing with later releases, each new behavior change that would be expected to cause compatibility issues was placed behind a switch which enables the old behavior and defaults to true
. At compile time, the targeted framework is stored in the assembly. When the runtime loads the entry point’s assembly, it checks the targeted version and then automatically presets its compatibility switches for the targeted .net version.
If you can’t retarget or recompile your application, you can manually specify the values of these compatibility switches by adding or editing <AppContextSwitchOverrides/>
in the app.config
which is normally named «ExecutableName».exe.config
. The switch DontEnableSystemDefaultTlsVersions
was added in .net-4.7 which supports using system-provided TLS policies. The switch DontEnableSchUseStrongCrypto
was added in .net-4.6 which added support for TLS 1.2.
<?xml version="1.0"?>
<configuration>
<runtime>
<!--
Support connecting to servers which require modern TLS protocols.
DontEnableSystemDefaultTlsVersions=false is sufficient if running on ≥.net-4.7
which supports using the system-provided TLS versions/policies.
DontEnableSchUseStrongCrypto is required if running on .net-4.6 which defaults
to newer versions of TLS but doesn’t support following system updates/policies.
-->
<AppContextSwitchOverrides value="Switch.System.Net.DontEnableSystemDefaultTlsVersions=false;Switch.System.Net.DontEnableSchUseStrongCrypto=false"/>
</runtime>
</configuration>
Example using the protocol name instead of integer codes.
string securityProtocol = ConfigurationManager.AppSettings["SecurityProtocol"].ToString();
try
{
System.Net.ServicePointManager.SecurityProtocol = (System.Net.SecurityProtocolType)Enum.Parse(typeof(System.Net.SecurityProtocolType), securityProtocol);
}
catch (Exception ex)
{
Console.WriteLine("Could not setup SecurityProtocol. Try a different integer value: " + ex.Message);
foreach (System.Net.SecurityProtocolType protocolType in Enum.GetValues(typeof(System.Net.SecurityProtocolType)))
{
Console.WriteLine(string.Foramt("SecurityProtocol: {0} - {1}", protocolType.ToString(), (int)protocolType));
}
}
For App.Config
<appSettings>
<add key="SecurityProtocol" value="Tls12" />
</appSettings>
For now I have put an integer value in the App.config that specifies the enum value to set System.Net.ServicePointManager.SecurityProtocol
to. I still think there may be a more elegant way to do this and look forward to other answers. I was guided in this direction by https://stackoverflow.com/a/35325333/5221761
int securityProtocol = Convert.ToInt32(ConfigurationManager.AppSettings["SecurityProtocol"]);
try
{
System.Net.ServicePointManager.SecurityProtocol = (System.Net.SecurityProtocolType)securityProtocol;
}
catch(Exception ex)
{
Console.WriteLine("Could not setup SecurityProtocol. Try a different integer value: " + ex.Message);
foreach (System.Net.SecurityProtocolType protocolType in Enum.GetValues(typeof(System.Net.SecurityProtocolType)))
{
Console.WriteLine(string.Foramt("SecurityProtocol: {0} - {1}", protocolType.ToString(), (int)protocolType));
}
}
App.config:
<appSettings>
<add key="SecurityProtocol" value="3072" />
</appSettings>