.Net 4.7.2 app does not honor SCHANNEL protocol settings - tls1.2

I disabled TLS 1.0 and 1.1 like so:
[HKEY_LOCAL_MACHINE\SYSTEM...\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM...\SCHANNEL\Protocols\TLS 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[repeat for 1.1]
When I hit https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html with a browser, I get
TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 No
TLS 1.0 No
When I hit the same endpoint from the same server with a .Net 4.7.2 console app that executes these lines
HttpClient c = new HttpClient();
var response =
c.GetAsync("https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html").Result;
I get
TLS 1.3 No
TLS 1.2 Yes*
TLS 1.1 Yes*
TLS 1.0 Yes*
Why is that and how can I restrict (or enable) protocols from outside the app?
The underlying issue is actually that I cannot get .Net clients on this server to use TLS 1.2 on outbound connections even though it is enabled at the OS level, and understanding why I cannot disable other protocols might help me figure this out.

Ah, never mind, I missed the (*) footnote:
(*) Without JavaScript, this test reliably detects only the highest supported protocol.

Related

Why is my site not using http/2 while it is http/2 enabled

I have a NGINX reverse proxy in front of a website. The NGINX server is http2/ready. If I run a test, all seems good:
However, when I go to the website using a browser, chrome indicates the website is using http/1.1.
I can't figure out why. Can anyone help?
I found out why. I enabled the TLS 1.3 protocol on NGINX. Chrome 70 on Win10 handshaked to TLS 1.3 without http/2. As soon as I disabled TLS 1.3 the browser handshaked to TLS1.2 + https/2. The question, of course, is what is faster. I opted for the TLS1.2 + https/2 scenario.

Is it possible to force traefik to response using http 1.1?

I have an application which perform http queries with the http 1.0 header, and expect answers to be in http 1.1.
Obviously, traefik is respectful of world wide web conventions and reply 1.0 to 1.0 queries, and 1.1 to 1.1 queries. But is it possible to modify that behaviour through configuration to have that application always reply using http 1.1 ?
It's not possible to override HTTP version in Traefik. Sorry ;)

How to know if a server supports HTTP 1.0

I need to know if a server supports HTTP 1.0. I send this message through a TCP socket:
GET / HTTP/1.0
Host: www.example.com
The thing is that in sometimes I get a HTTP 1.0 response and other times HTTP 1.1 response. How should I interpret this responses?
Thanks!
I need to know if a server supports HTTP 1.0.
When you send the request GET / HTTP/1.0 you're telling the server that the HTTP version you as a client support is 1.0.
If a server is either designed for HTTP 1.0 or designed for HTTP 1.1 with backwards compability to 1.0 then the server should send a 1.0 response to a 1.0 request, not a 1.1 response since the response might not be supported by the client.
In the HTTP protocol, the client is expected to send the version with the request, before it has any idea about what the server is or does.
That means that your trial-and-error approach is probably the only way to tell.
In practice, HTTP/1.0 isn't really in use the vast majority of the time, and it's almost always appropriate to use HTTP/1.1.

POODLE vulnerabiilty. Giving client warnings if their browser can fall back to SSL 3.0 on IIS

If we disable SSL 3.0 completely on the server, the customer whose browswer cannot support TLS 1.0 will just show a failed connection to the client browser.
Question 1: How do I detect if the client browser cannot support TLS 1.0 and give him a more intelligent warning that his browswer is out of date, and need to be upgraded.
Question 2: How do I detect if the client browswer can support SSL 3.0 and is vunerable to the POODLE attack, and warn them of this?
I'm using a Microsoft IIS web server and ASP.NET

How do you provide the best compatibility between SPDY HTTP 2.0 and HTTP 1.1?

With HTTP 2.0 being the proposed standard version of SPDY, how do you get the most compatibility with browsers between the protocols? Both will fall back to HTTP 1.1, but are there browsers that support only SPDY but not HTTP 2.0 or vis versa? Does SPDY fall back to HTTP 2.0 if SPDY support isn't available but HTTP 2.0 support is?

Resources