SSL and Outdated TLS(1.0 and 1.1) for Web Service client application on .Net 3.5

Question 1

SSL and Outdated TLS(1.0 and 1.1) for Web Service client application on .Net 3.5

c# .net ssl pci-compliance tls1.2

Nirlep · Jul 9, 2015 · Viewed 12.3k times · Source

Answer

Answer

Actually, you can use TLS 1.2 in Frameworks lower than 4.5 (at least I managed it in .NET Framework 4 client). Instead of using the classic command in order to set the Protocol as Tls12, you can bypass it by using the id for this protocol.

  ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;

Question 2

As per PCI, we need to stop using SSL and TLS(1.0 and 1.1 in certain implementation) from June 30th 2016 as per http://blog.securitymetrics.com/2015/04/pci-3-1-ssl-and-tls.html

We have an client application build on .Net 3.5 which uses HttpWebRequest object to connect to web services.

As per MSDN SecurityProtocolType(https://msdn.microsoft.com/en-us/library/system.net.securityprotocoltype(v=vs.110).aspx) supports only Ssl3 and Tls(1.0) on .Net Framework 4 or below. Tls11 and Tls12 are only supported in .Net Framework 4.5/4.6

Does that mean to be inside Cardholder data environment and fully pci compliant, we need to upgrade all applications to .Net 4.5/4.6 and allow only Tls12 SecurityProtocolType to connect to external web services using HttpWebRequest?

SSL and Outdated TLS(1.0 and 1.1) for Web Service client application on .Net 3.5

Answer

Related questions