Closed brianary closed 6 years ago
@brianary choco.exe does this automatically. Currently it is recommended you use that.
And I want to say it is .NET 4.5 for TLS 1.2 availability to be able to set it.
Yes, choco.exe works fine, but using the PackageManagement Chocolatey PackageProvider for the same functionality results in TLS connection failures. :(
Please refer to Transport Layer Security (TLS) best practices for full documentation on setting TLS defaults through registry.
This should work for installed .NET Framework v4.5.1 and above or .NET Framework 3.5. You need to have the latest patches for it to work.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
That seems to take care of it. I wasn't aware the .NET Frameworks prior to 4.7.1 would honor the OS settings. Thanks!
In enhanced security environments using only TLS, any version of the .NET Framework before 4.7 does not honor or inherit the OS TLS settings, so must manually set the
System.Net.ServicePointManager.SecurityProtocol
to the appropriate value (usually at least excludingSsl3
, which was deprecated three years ago), otherwise it inherits the Framework default value ofSsl3 | Tls
(SSL3 & TLS 1.0), and this provider doesn't seem to provide any way to configure that.