Using TLS 1.2 in C#

These protocols are commonly used in conjunction with the HTTPS protocol. To illustrate this, let's look at an example where we make an HTTPS request using WebRequest.

The following code snippet sends an HTTPS request to a website (e.g., https://www.example.com), assuming the application is compiled with .NET 4.0.

string url = "https://www.example.com";
var req = (HttpWebRequest)WebRequest.Create(url);
req.Method = "GET";

var resp = req.GetResponse();
var outStream = resp.GetResponseStream();
string output = "";
using (StreamReader rdr = new StreamReader(outStream))
{
    output = rdr.ReadToEnd();
}
Debug.WriteLine(output);

To observe the HTTPS communication, you can use a tool like Fiddler. When inspecting the web response in Fiddler, you'll notice that TLS 1.0 is being used for the communication.

TLS 1.0 Response

In the Fiddler capture, you'll see that the TLS 1.0 protocol is being used.

However, it's important to note that SSL 3.0 and TLS 1.0 are vulnerable to the POODLE attack, a type of Man-in-the-Middle (MITM) security attack. Therefore, if your .NET 4.0 application is handling sensitive data such as credit card transactions, you should consider upgrading to .NET 4.5 or higher.

.NET 4.5 and later versions support TLS 1.1 and TLS 1.2, both of which are not vulnerable to the POODLE attack. However, simply upgrading to .NET 4.5 will not automatically switch your application to use TLS 1.2.

This is because the default protocol for these versions is still TLS 1.0. To enable TLS 1.2 (and TLS 1.1 if desired), you need to explicitly set the SecurityProtocol property before making any WebRequest calls.

System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls11 | System.Net.SecurityProtocolType.Tls12;

var req = (HttpWebRequest)WebRequest.Create(url);
req.Method = "GET";
...

Now, when you inspect the web response in Fiddler, you will see that TLS 1.2 is being used.

TLS 1.2 Response:

With the updated configuration, the web response in Fiddler will show that TLS 1.2 is being used for the communication.

It’s generally acceptable to include TLS 1.0 along with TLS 1.1 and TLS 1.2 in your configuration. This is because the client will negotiate with the server to select the highest protocol version that both the client and server support. As long as the server supports TLS 1.1 or TLS 1.2, the client will automatically use those protocols, ensuring a more secure connection.