Cannot connect to a server by using the ServicePointManager or SslStream APIs after upgrade to the .NET Framework 4.6

Symptoms
Assume that you have upgraded to Microsoft .NET Framework 4.6 on your computer. When you use an application that uses SSL 3.0 together with ServicePointManager or SslStream APIs to connect to a server, the connection fails.
Cause
This issue occurs because the default set of SSL/TLS protocols that is used by ServicePointManager and SslStream was changed.

Old value: Ssl 3.0 | Tls 1.0 | Tls 1.1

New value: Tls 1.0 | Tls 1.1 | Tls 1.2

Workaround
To work around this issue, update the server to Tls 1.0, Tls 1.1, or Tls 1.2 because SSL 3.0 has been shown to be unsecure and vulnerable to attacks such as POODLE.

Note If you cannot update the server, use AppContext class to opt out of this feature. To do this, use one of the following methods:
  • Programmatically: Must be the very first thing the application does because ServicePointManager will initialize only once. Use the following code example in your application:
    private const string DisableCachingName = @"TestSwitch.LocalAppContext.DisableCaching";        private const string DontEnableSchUseStrongCryptoName = @"Switch.System.Net.DontEnableSchUseStrongCrypto";        AppContext.SetSwitch(DisableCachingName, true);        AppContext.SetSwitch(DontEnableSchUseStrongCryptoName, true);
  • By using the AppConfig file for your application: Add the following line to the Appconfig file:
    <AppContextSwitchOverrides value="Switch.System.Net.DontEnableSchUseStrongCrypto=true"/>


For more information about the known issues in the .NET Framework 4.6, see Known issues for the .NET Framework 4.6.
More information
For more information about the product versioning changes and impact in the .NET Framework 4.6, see Application Compatibility in the .NET Framework 4.6.

Notes
  • The new configuration will only apply when the application is targeting the .NET Framework 4.6. The .NET Framework 4.5.2 and earlier versions will not be affected even if they run in a .NET Framework 4.6 environment.
  • A list of affected top-level APIs:
    • HttpClient, HttpWebRequest
    • FtpClient
    • SmtpClient
    • SslStream
  • SCH_USE_STRONG_CRYPTO This flag is going to be automatically used in the .NET Framework 4.6 and affects behavior by removing unsafe cryptographic and hashing algorithms. For all operating system platforms earlier than Windows 10, the RC4 algorithm will be removed from use. From Windows 10, the following additional unsafe algorithms will be removed: DES, NULL, EXPORT and MD5

Properties

Article ID: 3069494 - Last Review: 07/20/2015 15:53:00 - Revision: 2.0

Microsoft .NET Framework 4.6

  • kbsurveynew kbtshoot kbexpertiseadvanced KB3069494
Feedback