You are currently offline, waiting for your internet to reconnect

Support for TLS v1.2 included in the .NET Framework version 3.5.1

The .NET framework version 3.5.1 and earlier did not provide support for applications to use Transport Layer Security (TLS) v1.2 as a cryptographic protocol. In this update we enable the usage of TLS v1.2 in the .NET Framework 3.5.1.

Download information

The following files are available for download from the Microsoft Download Center:

    Download Download the x86-based package now.  

    Download Download the x64-based package now. 

DownloadDownload the IA64-based package now.  

We have made two improvements in this area:
  • We have added the SslProtocolsExtensions enumeration that you can use as an option for setting TLS v1.2 for the ServicePointManager.SecurityProtocol property when targeting .NET framework version 3.5.1. (See Developer Guidance section for the information on how to use the extensions)
  • In addition, the following registry keys can be set to use the operating system defaults for transport security protocol rather than the hardcoded .NET Framework defaults for a managed application running on the computer.
    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\v2.0.50727SystemDefaultTlsVersions     DWORD         1
    Note If the application has set the ServicePointManager.SecureProtocol in code or through config files to a specific value or using SslStream.AuthenticateAs* APIs specifying a specific SslProtocols enum, in that case the registry does not take any effect.

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Developer Guidance
The definition of the new extensions are in the following files:
  • SecurityProtocolTypeExtensions.cs
    namespace System.Net{using System.Security.Authentication;public static class SecurityProtocolTypeExtensions{public const SecurityProtocolType Tls12 = (SecurityProtocolType)SslProtocolsExtensions.Tls12;public const SecurityProtocolType Tls11 = (SecurityProtocolType)SslProtocolsExtensions.Tls11;public const SecurityProtocolType SystemDefault = (SecurityProtocolType)0;}}
  • SslProtocolsExtensions.cs
    namespace System.Security.Authentication{public static class SslProtocolsExtensions{public const SslProtocols Tls12 = (SslProtocols)0x00000C00;public const SslProtocols Tls11 = (SslProtocols)0x00000300;}}
To include the support for TLS v1.2 include the source files in your project and then set the protocol version in the following ways:
  • Applications that are using ServicePointManager-based APIs can set the protocol using as follows:

    System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolTypeExtensions.Tls12;
  • Applications that are using the SslStream AuthenticateAsClient(String, X509CertificateCollection, SslProtocols, Boolean) overload can set the SslProtocols value as SslProtocolsExtensions. Tls12.
If the registry mentioned in the first paragraph is set and in the application the SslProtocols value is set as SslProtocols.None, then the system default behavior is chosen that will depend on the Windows Operating System version.

Also when you are changing the application code to enable support for TLS v1.2 with .NET Framework 3.5.1 you should ensure on computers where this patch is not deployed you handle the following exceptions thrown:
  1. If the hotfix is not installed, ServicePointManager-based APIs (HTTP, FTP, SMTP) will throw "System.NotSupportedException: The requested security protocol is not supported." when the application calls ServicePointManager.SecurityProtocol to set the new value.
  2. If the hotfix is not installed, SslStream-based APIs will throw when calling either of the AuthenticateAs* APIs:
    System.ArgumentException: The specified value is not valid in the 'SslProtocolType' enumeration.
    Parameter name: sslProtocolType
Note For SslStream only, a combination of Tls12, Tls11 with any of the existing Tls, Ssl3, Ssl2 (for example: Tls12 | Tls11 | Tls) will silently downgrade to the existing protocols (for example: Tls) on a system without the patch. It will connect with Tls without throwing the exception.

More information
If you have to disable the operating system defaults set by the registry key that is mentioned earlier for specific applications it can be done by adding the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node\]Microsoft\.NETFramework\v2.0.50727\System.Net.ServicePointManager.SystemDefaultTlsVersions<<Full path of the .exe for the file>>     DWORD    0C:\MyApp\MyApp.exe    DWORD    0
For more information about TLS v1.2, see Introducing TLS v1.2.

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Article ID: 3154518 - Last Review: 05/17/2016 21:13:00 - Revision: 1.0

Microsoft .NET Framework 3.5.1

  • kbfix kbsurveynew kbexpertiseadvanced atdownload KB3154518