1

I've been asked a question by the boss and actually I can't find any sort of coherent / comprehensive answer out there!

So I turn to you, the wise and all-knowing collective of StackOverflow :)

The question of the day is "Does .NET support transport layer security version 1.1 or 1.2?" Google is next to useless on this issue and the documentation out there is severely lacking.

Any help on this would be greatly appreciated.

Thank you, Clint

4

3 回答 3

2

TLS 1.1 and 1.2 support has been added to Windows 7 and my understanding is that .NET relies on Windows' SChannel for TLS support. So I think the answer to your question is "depends on the OS".

Now you should remember, that most sites are powered by older versions of OpenSSL and other libraries which not just didn't support TLS 1.1 and 1.2, but closed connection immediately if they received indication of TLS 1.1 support from the client. In other words, if you enable TLS 1.1 support in your client, you won't be able to connect to some of servers.

Upd: Forgot to mention that you can use third-party SSL/TLS implementation (eg. the one in our SecureBlackbox product) to get TLS 1.x support in your .NET application.

于 2011-10-03T09:10:29.667 回答
1

here some places where you can start to document yourself:

Transport Security with Certificate Authentication

This topic discusses using X.509 certificates for server and client authentication when using transport security. For more information about X.509 certificates see X.509 Public Key Certificates. Certificates must be issued by a certificate authority, which is often a third-party issuer of certificates. On a Windows Server domain, Active Directory Certificate Services can be used to issue certificates to client computers on the domain. For more information see Windows 2008 R2 Certificate Services. In this scenario, the service is hosted under Internet Information Services (IIS) which is configured with Secure Sockets Layer (SSL). The service is configured with an SSL (X.509) certificate to allow clients to verify the identity of the server. The client is also configured with an X.509 certificate that allows the service to verify the identity of the client. The server’s certificate must be trusted by the client and the client’s certificate must be trusted by the server. The actual mechanics of how the service and client verifies each other’s identity is beyond the scope of this topic. For more information see Digital Signature on Wikipedia.

SslStream Class

... If the server requires client authentication, the client must specify one or more certificates for authentication. If the client has more than one certificate, the client can provide a LocalCertificateSelectionCallback delegate to select the correct certificate for the server. The client's certificates must be located in the current user's "My" certificate store. Client authentication via certificates is not supported for the Ssl2 (SSL version 2) protocol. ...

于 2011-10-03T09:06:36.877 回答
1

It can support either; the support comes from the underlying IIS, not .NET.

For details on how to enable TLS 1.2, see here: http://support.microsoft.com/kb/245030. Note that currently only a few browsers support it.

于 2011-10-03T09:10:47.443 回答