Last post Sep 05, 2018 12:52 PM by PatriceSc
Sep 04, 2018 12:18 PM|madhura.torsekar|LINK
Need to make sure that all our applications are supporting TLS 1.2. Let know what will be the requirements for the same in terms of .NET framework version, OS version, SQL version that supports only TLS 1.2? Having some of the applications in Classic ASP
Whether upgrading .NET framework to 4.5 or later + SQL 2012 + Windows OS 2012 R2 will resolve the same and support only TLS 1.2?
Sep 04, 2018 12:46 PM|PatriceSc|LINK
Apparently starting with 4.7 the direction seems to be not telling anything and have the OS choosing the strongest available option. Similarly if you want to drop TLS 1.0 or 1.1 it likely have to be done at the OS level.
Sep 05, 2018 10:26 AM|madhura.torsekar|LINK
Ok. Thanks for the link. Have gone through the same and came to know that instead of making code level changes for TLS 1.2, OS level changes must be done. IF we choose OS as windows server 2012 then will it support for only TLS 1.2? As per security requirement,
we need to enable only TLS 1.2 for applications for which we may need to upgrade all platforms in terms of .net framework, OS version, SQL version etc. Am working on such kind of changes for the first time. Hence, request you please guide on the same.
It would be good if anyone help me in the decision of choosing .net framework, OS version, SQL version etc for enabling only TLS 1.2
Sep 05, 2018 12:52 PM|PatriceSc|LINK
If I attempt to summarize my understanding is :
- that you have to take actions to enable Tls12 starting with 3.5 (but not for WCF thart just can't use this version) and Windows Server 2008 or later
- Tls12 should be used by default starting with 4.6 and Windows Server 2012 (but won't use later version that could be made available)
- from 4.7 it should select the best option offered by the OS (even options mde available later at the OS level)
Here it seems you want to disable other options. If possible it is likely best done at the OS level https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc .
You could select explicitely Tls12 in your code for testing before doing OS level changes (or if you want to enforce this only for a particular app) but it should be tracked and later removed (so that ultimately you end up with app that will just the best
option whatever it is from those made available by the underlying OS).
Edit: don't remember which version but you have an IIS update that should allow to track TLS usage as part of the IIS log to check new options are used or to better decide when you can disable old options.
Edit 2: if you need further help a Windows admin forum could be better.