Do I need to enforce TLS 1.2 in my ASP.NET 4.6 application?

Question

Do I need to enforce TLS 1.2 in my ASP.NET 4.6 application?

We have a third party API that will be using TLS 1.2 shortly.

We have two separate applications that connect to this API, a console application and an ASP.NET web application written in C #.

I have redirected my console application to use .NET 4.6, which is also installed on the host machine. I added this at the top Main

.

private static void Main(string[] args)
{
    // Enable TLS 1.2
    ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12;

   // Disable old protocols
   ServicePointManager.SecurityProtocol &= ~(SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls | SecurityProtocolType.Tls11);

    ...

}

I'm sure this is sufficient for a console application as it only has one entry point.

However, I am confused about what I need to do for an ASP.NET web application.

First, it consisted of 3 projects. Two are class libraries for the framework and service layer respectively, the third is an ASP web application for the user interface. I went through each of them and targeted them at .NET 4.6.
From what I've read, this sounds like all I need to do as the highest protocol will be negotiated by default.

Am I correct?

If I'm wrong, where can I add the same line from the console application? Global.asax?

+3

c # asp.net .net-4.6 tls1.2

Equalsk Apr 18 17 at 10:43

source to share

1 answer

Patrick hofman · Accepted Answer · 2017-04-18T10:52:44+0000

Since it ServicePointManager.SecurityProtocol

is static

, you only need to configure it once for each application. This would mean that it is enough to put this code into an event Application_Start

.

Do I need to enforce TLS 1.2 in my ASP.NET 4.6 application?

More articles: