Coming late to the game, but I've often saw, in the TLS 1.0 & 1.1 deprecation era, people disabling these protocols by simply doing the following:
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12
Sure, it will work, but this line of code is far from ideal and is not friendly maintainability wise. Reasons around that:
Microsoft recommends to do otherwise and I'll admit it's quite simpler this way than the other around. All in all, what you need inside your app configuration is the following:
<appSettings>
<add key="AppContext.SetSwitch:Switch.System.Net.DontEnableSchUseStrongCrypto" value="false" />
<add key="AppContext.SetSwitch:Switch.System.Net.DontEnableSystemDefaultTlsVersions" value="false" />
</appSettings>
This instructs your app to use the system recommended cyphers and TLS versions when your app is doing secure communications. So, without changing a single line of code, you're asking .NET to follow the system recommendations, not his.
Keep in mind, per the documentation of Microsoft, these settings will have an impact on certain .NET Fx targets:
DontEnableSchUseStrongCrypto
, applications compiled using a target framework lower than 4.6 are impactedDontEnableSystemDefaultTlsVersions
, targets lower than .NET 4.7 are impactedOtherwise, by default, these configurations are disabled. This means they use the recommended TLS version and strong cryptos.
Another thing to point out, certain third-party libraries, compiled using old .NET targets will also be impacted. Say, by example, you have added a NuGet package targeting only .NET 4.5, well these settings are also impacting your reference. If by any way it's using TLS, the library will also use the system recommended versions. By experience, this also applies even though your app is compiled using a recent .NET target (e.g., 4.7.2). So, if you're not specifying the flags and that you're referencing a third-party library compiled with an older target, you should also specify the flags, as the library otherwise will fallback in using the wrong TLS version and cyphers.