Background

Depending on the version of the Microsoft .NET Framework that you have installed, and the version of .NET that was targeted in the application, you may need to modify your computer to connect to a web service that is utilizing TLS 1.2 or later. This is because by default, Microsoft .NET 4.6 and earlier defaults to TLS 1.1 regardless of what versions of TLS are available and what the server can handle.

We have been reluctant to hard code in TLS 1.2 to our code because that prevents it using TLS 1.3 in the future. Similarly, targeting .NET 4.7 in our code would prevent some versions of Windows using the application, even though they support TLS 1.2.

Solution using .Config Files

The easiest solution in most cases (as long as the application is an .EXE not an embedded .DLL that runs somewhere else) is to find the application's .config file and make a small change.

For example, if your application is called MyApplication.exe, you need to open the MyApplication.exe.config and add the following lines:

<configuration>
  ...
  <runtime>
    <AppContextSwitchOverrides value="Switch.System.Net.DontEnableSystemDefaultTlsVersions=false"/>
  </runtime>
  ...
</configuration>

This only works if the application is already using .NET 4.5 or later, and doesn't work on Windows 7 or older computers.

Solution using Powershell

To enable code to use the latest version of TLS (e.g. 1.2) the following registry changes may need to be made:

  • Open Powershell and check for supported protocols by using [Net.ServicePointManager]::SecurityProtocol
  • Run the following 2 cmdlets to set .NET Framework strong cryptography registry keys:
  • set strong cryptography on 64 bit .Net Framework (version 4 and above)
  • Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
  • set strong cryptography on 32 bit .Net Framework (version 4 and above)
  • Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
  • Restart Powershell and check again for supported protocol by using [Net.ServicePointManager]::SecurityProtocol

It should now display Tls12 as well.

Solution using RegEdit Directly

There are a number of Windows Registry keys that must be set to enable TLS 1.2 in existing .NET applications without explicitly setting the protocol version in application code.

In order to make .NET 4.x code select the strongest available protocol by default (i.e. when a protocol is not explicitly specified in code), the following registry keys are needed:

  • On 32-bit and 64-bit versions of Windows: HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto: 0X00000001
  • On 64-bit versions of Windows: HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto: 0X00000001

The WOW6432Node value is needed to enable TLS 1.2 in 32-bit applications when run on 64-bit systems.