Enable TLS 1.2 for legacy .NET 4.0 applications

Aug 22, 2020  

Servers should not longer serve HTTPS over the deprecated protocols TLS 1.0 and TLS 1.1. Modern web browsers are enforcing the move to TLS 1.2 by showing warnings about the HTTPS connection not beeing secure if the server still accepts the older cryptographic suites. Google led the way with the deprecation of TLS 1.0 and 1.1 in Chrome 72. Firefox disabled TLS 1.0 and 1.1 by default in January 2020.

Hey, my tools can’t talk TLS 1.2!

We switched off the old TLS versions on our servers in 2019. Immediately, some customers started complaining that their tools could no longer talk to our servers, as they were still using older Windows versions.

We kept a server around, accepting old TLS versions, and asked out customers to configure their DNS to continue to use the legacy server.

.NET 4.0 can’t talk TLS 1.2

After several months, I came across a similar issue on perfectly up-to-date Windows 10 computers: some tool failed to connect over HTTPS to our public server using TLS 1.2.

After investigation, it appeared that the tool was based on .NET 4.0, which obviously does not support TLS 1.2 out of the box.

Updating the tool to .NET 4.8 would certainly solve the issue, but it would be quite time consuming (we cannot simply recompile it: the tool was being deployed using technologies which are, alas, no longer supported by current Visual Studio versions).

.NET 4.0 can be configured to talk TLS 1.2

Fortunately, Microsoft provides a way to enable TLS 1.2 on .NET 4.0.

For this, open HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 in regedit as an administrator and add two DWORD values:

  • SchUseStrongCrypto → 1
  • SystemDefaultTlsVersions → 1

For 32-bit applications running on 64-bit systems, do the same on the matching WOW6432Node

The same configuration can also be applied to .NET 2.0.