.NET, DevOps, Security, Systems, Web

.NET 4.5 and TLS 1.2

We were having an issue regarding WebRequests between Identity Server 3 (Web App .NET 4.5) and a new ADFS 4 (Web App) running on Windows Server 2016.

The IdentityServer 3 request failed with the semi-vague error:

Unable to get document from: https://host.com/adfs/.well-known/openid-configuration —> System.Net.Http.HttpRequestException: An error occurred while sending the request. —> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. —> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. —>
System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host   at System.Net.Sockets.Socket.EndReceive(IAsyncResult asyncResult)   at System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult)   — End of inner exception stack trace —   at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult) …

The error is a bit vague but with the CallStack we can figure out that there is a problem on TlsStream.EndWrite and from there we figured out that it was a failure in TLS Handshake.

What happens is that Applications (Web, Desktop, etc..) that are previous to .NET 4.6 when web requests are made (WebRequests, HttpClient, etc..)  they have by default a maximum of TLS 1.1 as possible ciphers and the HTTPS endpoint that we were calling only supported TLS >= 1.2

This Stack Overflow thread shows multiple ways of using the new 1.2 TLS version with .NET 4.xhttps://stackoverflow.com/questions/4137106/are-there-net-implementation-of-tls-1-2
In our case we decided to switch the Web App compilation to 4.6 and all compiled and the web requests to ADFS started working.

You can use SSLLabs to test HTTPS endpoints including checking which ciphers are available for clients to connect.

For the IT guys, that want to have your IIS servers hardened (without legacy ssl and tls protocols) there is a very cool tool that is IISCrypto
“IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012 and 2016. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click, create custom templates and test your website.”