SSL and legacy TLS (1.0 and 1.1) for web service client application on .Net 3.5

Question

SSL and legacy TLS (1.0 and 1.1) for web service client application on .Net 3.5

According to PCI, we must stop using SSL and TLS (1.0 and 1.1 in a specific implementation) from June 30, 2016 according to http://blog.securitymetrics.com/2015/04/pci-3-1-ssl-and- tls.html

We have a client application built on .Net 3.5 that uses the HttpWebRequest object to connect to web services.

According to MSDN SecurityProtocolType ( https://msdn.microsoft.com/en-us/library/system.net.securityprotocoltype(v=vs.110).aspx ) only supports Ssl3 and Tls (1.0) on .Net Framework 4 or lower. Tls11 and Tls12 are only supported in .Net Framework 4.5 / 4.6

Does this mean that inside the Cardholder data environment and is fully compatible with pci, we need to update all applications to .Net 4.5 / 4.6 and only allow Tls12 SecurityProtocolType to connect to external web services using HttpWebRequest?

+11

c # .net ssl tls1.2 pci-compliance

Nirlep Jul 09 '15 at 12:19

source share

3 answers

Actually, you can use TLS 1.2 in Frameworks below 4.5 (at least I succeeded in the .NET Framework 4 client). Instead of using the classic command to set the protocol as Tls12, you can bypass it using the identifier for this protocol.

ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;

+4

tzes Jan 25 '17 at 16:30

source share

Microsoft has made unthinkable and published fixes for this.

KB3154518 - Drive Reliability HR-1605 - NDP 2.0 SP2 - Win7 SP1 / Win 2008 R2 SP1
KB3154519 - Drive Reliability HR-1605 - NDP 2.0 SP2 - RTM RTM / Win 2012 RTM
KB3154520 - Drive Reliability HR-1605 - NDP 2.0 SP2 - RTM Win8.1RTM / Win 2012 R2 RTM
KB3156421 - 1605 Merge HotFix by using Windows Update for Windows 10.

+1

Chris Gill Nov 30 '16 at 13:19

source share

Alex K. · Accepted Answer · 2015-07-09 16:14

Any communication channel that currently uses SSL / early TLS or which is ready to accept them when negotiating, and which is part of the cardholder’s data environment, since security controls need to be changed so that it uses only TLS 1.1 (with an approved cipher suite) or higher.

You need to recompile to .Net 4.5 or higher (TLS 1.2 is not enabled by default, therefore code changes are necessary) or use a third-party library that supports the required protocols.

Please note that if you know that your system uses SSL / early TLS, you must create a risk reduction plan / document.

INFORMATION ADDITION Migrating with SSL and Early TLS

SSL and legacy TLS (1.0 and 1.1) for web service client application on .Net 3.5

More articles: