How to fix TLS/SSL handshake failure on Windows Server 2012 R2. Couldn’t send emails through web application on the server(couldn’t connect to Office365 email server).
Userful links:
Transport Layer Security (TLS) best practices with the .NET Framework
Enable outbound TLS 1.1 and 1.2 on Windows Server
TLS1.2 IN .NET FRAMEWORK 4.0 (4.5 NOT INSTALLED, solution in the thread works!!!!!)
What does “The TLS protocol defined fatal alert code is 70” mean?
What I have tried:
- Re-purchase / Re-issue SSL certificate on Server and related domain(registered through )
- Download .NET framework patches(install what you can install)
- Apply best practice on IISCrypto and reset IIS
- delete wrong 0.0.0.0:8443 port and add the same hash key as the 433 port
- Add SchUseStrongCrypto in registry under
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
“SchUseStrongCrypto”=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
“SchUseStrongCrypto”=dword:00000001
Add to code: ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xC00;
- add protocol TLS 1.0 and TLS 2.0 to registry as follows(can do it manually or through IISCrypto.exe)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\XXXXX\Client] "Enabled" = dword: 00000001 "DisabledByDefault" = dword: 00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\XXXXX\Client] "Enabled" = dword: 00000001 "DisabledByDefault" = dword: 00000000
- add below before https request:
Framework 4.0 and later Add
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
Framework 4.0 Add
ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;
- instead of hard code to one specific protocol, use enum to support other protocol needed
- System.Net.ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
The default System.Net.ServicePointManager.SecurityProtocol
in both .NET 4.0/4.5
is SecurityProtocolType.Tls|SecurityProtocolType.Ssl3
.
.NET 4.0
supports up to TLS 1.0
while .NET 4.5
supports up to TLS 1.2
However, an application targeting .NET 4.0
can still support up to TLS 1.2
if .NET 4.5
is installed in the same environment. .NET 4.5
installs on top of .NET 4.0
, replacing System.dll
.
SecurityProtocolType Enum
- Reference
Definition
Namespace:System.NetAssembly:System.Net.ServicePoint.dll
Specifies the security protocols that are supported by the Schannel security package.
This enumeration supports a bitwise combination of its member values.
C#
[System.Flags]
public enum SecurityProtocolType
Inheritance
SecurityProtocolTypeAttributes
Fields
Ssl3 | 48 | Specifies the Secure Socket Layer (SSL) 3.0 security protocol. SSL 3.0 has been superseded by the Transport Layer Security (TLS) protocol and is provided for backward compatibility only. |
SystemDefault | 0 | Allows the operating system to choose the best protocol to use, and to block protocols that are not secure. Unless your app has a specific reason not to, you should use this value. |
Tls | 192 | Specifies the Transport Layer Security (TLS) 1.0 security protocol. The TLS 1.0 protocol is defined in IETF RFC 2246. |
Tls11 | 768 | Specifies the Transport Layer Security (TLS) 1.1 security protocol. The TLS 1.1 protocol is defined in IETF RFC 4346. On Windows systems, this value is supported starting with Windows 7. |
Tls12 | 3072 | Specifies the Transport Layer Security (TLS) 1.2 security protocol. The TLS 1.2 protocol is defined in IETF RFC 5246. On Windows systems, this value is supported starting with Windows 7. |
Tls13 | 12288 | Specifies the TLS 1.3 security protocol. The TLS protocol is defined in IETF RFC 8446. |
Remarks
This enumeration defines the set of values that you can use to specify which transport security protocol to use. It is the enumerated type for the SecurityProtocol property. Use this enumeration to determine your transport security protocol policy when you’re using HTTP APIs in the .NET Framework such as WebClient, HttpWebRequest, HttpClient, and SmtpClient (when using TLS/SSL).
The Transport Layer Security (TLS) protocols assume that a connection-oriented protocol, typically TCP, is in use.
If you are not able to add a property to system.net
class library.
Then, add in Global.asax file:
ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072; //TLS 1.2
ServicePointManager.SecurityProtocol = (SecurityProtocolType)768; //TLS 1.1
And you can use it in a function, at the starting line:
ServicePointManager.SecurityProtocol = (SecurityProtocolType)768 | (SecurityProtocolType)3072;
And, it’s being useful for STRIPE
payment gateway, which only supports TLS 1.1, TLS 1.2.
EDIT: After so many questions on .NET 4.5 is installed on my server or not… here is the screenshot of Registry
on my production server:
I have only .NET framework 4.0 installed.