I have a VB.NET 4.5 application on Windows Server 2008 R2 that must connect to one of our other internal applications on a Tomcat server via TLSv1.2. According to our security scans and server config (in preparation for PCI), we can only use these ciphers on that server:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
I have generated the service class from the WSDL as usual, but a Wireshark capture doesn't list any of these ciphers as an option.
My questions:
What library does Microsoft.NET use behind the scenes for TLS connections? For example, does it still use SChannel?
Is there a way for me to enable / install new ciphers for VB.NET to use?
If it's using SChannel, maybe I can do some registry changes to get it working...? Or is it possible that these ciphers are just not available on Windows Server 2008 R2?
Thanks in advance!
.NET supports them but by default .NET TLS implementation is using only SSLv3/TLSv1 and it doesn't offer those ciphers.
To enable TLSv1.1 and TLSv1.2 (not sure which one actually enabled those ciphers) use:
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
This will enable TLSv1.1+ (and in process disables SSLv3) and .NET should start offering TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
Cheers
Related
I'm being asked to send HL7 messages to an Azure-hosted system using MLLP/TCP with a TLS1.2 connection and client certificate for validation.
Is there a way of making BizTalk use TLS 1.2 with the MLLP adapter on a send port? I can't get it to send anything other than plan text. Or is a VPN the only solution here?
I have BizTalk 2016 CU9 installed and .Net 4.6.2
BizTalk MLLP adapter does not support TLS. One option which is not ideal is to setup a secured VPN tunnel.
It shouldn’t be hard to add this to adapter though by BizTalk product team.
There are several options to make BizTalk send ports use TLS 1.2
Add a WCF Endpoint Behaviour that set the TLS in code, but the MLLP probably doesn't have this option.
Make the .Net Layer use TLS 1.2, and that is through some registry key changes. Note: That this will make all connections use TLS 1.2 in preferences. There is also the option of disabling all the older TLS version and Ciphers, but that would require testing all interfaces. With earlier version of BizTalk that also required upgrading .Net and installing a later version of the SQL Client, but BizTalk 2016 should be fine. Again, not something you can to with MLLP as it doesn't support TLS at all.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=00000001
How to transmit data securely using MLLP adapter (MSDN Forum), which talks about a VPN tunnel or IPSEC to secure the channel for MLLP
See
Support for TLS 1.2 protocol in BizTalk Server (Microsoft)
Configure TLS 1.2 On BizTalk Server (Article)
BizTalk 2016 FP 3 CU6 and TLS 1.2 not working (StackOverflow)
I have a Blazor WASM Application that shall be hosted inside the Backend that is implemented using gRPC on ASP.NET with .NET 5.0. When I try to debug the WASM application and as soon as the debugging Browser starts I get this error:
fail: Microsoft.AspNetCore.Server.Kestrel[0]
HTTP/2 over TLS was not negotiated on an HTTP/2-only endpoint.
All development certificates are installed and trusted and the websocket connection is established using wss:// scheme. So from my point of view the TLS negotiation should succeed.
I already found out that I can workaround that to a certain point by changing the Kestrel endpoint settings to use Http1AndHttp2 the problem then becomes that the gRPC connection from the frontend to the backend fails because of the downgrade to Http/1.
So my question is: Is there any option to debug Blazot WASM when using an Http/2 server on the hosting site?
If this is not possible: Can I determine somehow that the gRPC endpoints get delivered using HTTP/2 and the debugging endpoints via HTTP/1.1?
Here are some tips for checking TLS negotiation limitation on Http/2:
TLS version 1.2 or later
Renegotiation disabled
Compression disabled
Minimum ephemeral key exchange sizes:
Elliptic curve Diffie-Hellman (ECDHE) [RFC4492]: 224 bits minimum
Finite field Diffie-Hellman (DHE) [TLS12]: 2048 bits minimum
Cipher suite not prohibited.
So the solution is quitq simple: I used the wrong package. When using Blazor with gRPC the Grpc.Client.Net.Web package must be used (as stated in this article: https://learn.microsoft.com/en-us/aspnet/core/grpc/browser?view=aspnetcore-6.0#configure-grpc-web-with-the-net-grpc-client).
Then you do not have to use HTTP/2 and everything works like a charm.
First I disable the following things in windows server 2016.
Triple DES cipher
RC4 cipher
TLS CBC Mode ciphers
TLS 1.0
TLS 1.1
Then, I reboot the server.
Finally, I call the web application which is hosted at above server from my client browser.
Here is the problem I can not connect to that web application via browser
What am I missing something?
What should I do to be able to use from end users?
Thank you.
Just turn off the windows server firewall to be able to connection from client site.
It works for me. It's not affected due to disability of above ciphers and tls.
After diabling lower security protocol versions SSL3.0, TLS1.0, TLS1.1 and enabling TLS 1.2, I am not able to connect to BizTalk group or use BizTalk server. The BizTalk server version I am using is 2013R2. Following is the error:
An attempt to connect to "BizTalkMgmtDb" SQL Server database on server "XXXXXX" failed.
Internal Error from OLEDB provider: "[DBNETLIB][ConnectionOpen (SECCreateCredentials()).]SSL Security error."
Also when I enable TLS 1.2 without disabling the lower versions I don't see any problems and everything seems working fine
Please suggest what can be done to make the server compatible while disabling lower versions
You need to install CU 8 and and also the prerequisite SQL Server 2012 Native Client version 11 as per Support for TLS 1.2 protocol in BizTalk Server
See also BizTalk: Configure TLS 1.2 on BizTalk Server
For BizTalk 2013 R2 we also installed .Net 4.6 and updated the BAM connection strings to use the SQL Server Native Client 11.
You will also have to ensure that any other endpoints that BizTalk communicates with or that communicates with BizTalk is capable of TLS 1.2, for anything using either HTTPS, FTPS or SQL.
So any SQL server you connect to also need to have SQL Server 2012 Native Client version 11 or above, and .NET 4.5 or greater.
Are you added this key on regedit?
Going to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319
then Add--> New DWORD --> SchUseStrongCrypto with value 1
Needing to do same operation on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v4.0.30319
I have an Android app that talks to .net web service via http over TLS using self-signed server certificate. Now I am trying to figure out how I can accomplish the similar things (Import server certificate into the app and use http get protocol to talk to .net web service) in Blackberry phone.
Reading an article Blackberry support for HTTPS, my impression was that it might be more complex than in Android (for example, having Enterprise server and MDS between a phone and web server). Can I use Direct TCP Connection?
You can use
HttpsConnection cons=(HttpsConnection) Connector.open("https://xyz.com");