Symptoms

Assume that you have upgraded to Microsoft .NET Framework 4.6 on your computer. When you use an application that uses SSL 3.0 together with ServicePointManager or SslStream APIs to connect to a server, the connection fails.

Cause

This issue occurs because the default set of SSL/TLS protocols that is used by ServicePointManager and SslStream was changed.

Old value: Ssl 3.0 | Tls 1.0 | Tls 1.1

New value: Tls 1.0 | Tls 1.1 | Tls 1.2

Workaround

To work around this issue, update the server to Tls 1.0, Tls 1.1, or Tls 1.2 because SSL 3.0 has been shown to be unsecure and vulnerable to attacks such as POODLE.Note If you cannot update the server, use AppContext class to opt out of this feature. To do this, use one of the following methods:

  • Programmatically: Must be the very first thing the application does because ServicePointManager will initialize only once. Use the following code example in your application:

    private const string DisableCachingName = @"TestSwitch.LocalAppContext.DisableCaching";        private const string DontEnableSchUseStrongCryptoName = @"Switch.System.Net.DontEnableSchUseStrongCrypto";        AppContext.SetSwitch(DisableCachingName, true);        AppContext.SetSwitch(DontEnableSchUseStrongCryptoName, true);
  • By using the AppConfig file for your application: Add the following line to the Appconfig file:<AppContextSwitchOverrides value="Switch.System.Net.DontEnableSchUseStrongCrypto=true"/>

For more information about the known issues in the .NET Framework 4.6, see Known issues for the .NET Framework 4.6.

More Information

For more information about the product versioning changes and impact in the .NET Framework 4.6, see Application Compatibility in the .NET Framework 4.6.Notes

  • The new configuration will only apply when the application is targeting the .NET Framework 4.6. The .NET Framework 4.5.2 and earlier versions will not be affected even if they run in a .NET Framework 4.6 environment.

  • A list of affected top-level APIs:

    • HttpClient, HttpWebRequest

    • FtpClient

    • SmtpClient

    • SslStream

  • SCH_USE_STRONG_CRYPTO This flag is going to be automatically used in the .NET Framework 4.6 and affects behavior by removing unsafe cryptographic and hashing algorithms. For all operating system platforms earlier than Windows 10, the RC4 algorithm will be removed from use. From Windows 10, the following additional unsafe algorithms will be removed: DES, NULL, EXPORT and MD5

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.