The TLS1.2 on .NET framework 3.5 using KB3156421 doesn’t work in the Windows 10 anniversary update.

We have an issue with usage of TLS v1.2 with .NET Framework version 3.5.1 on Windows 10 anniversary update, version 1607.

KB3154518 suggests the support for TLS v1.2 included in the .NET Framework version 3.5.1.

On Windows 10 version 1511 OS, the below repro code when built with .NET 3.5, runs successfully and uses TLS 1.2.

On Windows 10 anniversary update, version 1607 (upgraded from the Windows 10, version 1511 OS) or Windows Server 2016, the same repro code below fails with an exception saying:

Unhandled Exception: System.NotSupportedException: The requested security protocol is not supported.

   at System.Net.ServicePointManager.set_SecurityProtocol(SecurityProtocolType value)

   at Examples.System.Net.WebRequestGetExample.Main() in C:\temp\TestTLS\TestTLS\Program.cs:line 33

With .NET 4.0 & above, the code works successfully using TLS 1.2 on both the Windows 10 OS flavor’s.

Repro Code

using System;

using System.IO;

using System.Net;

using System.Text;

 namespace System.Security.Authentication

{

    public static class SslProtocolsExtensions

    {

        public const SslProtocols Tls12 = (SslProtocols)0x00000C00;

        public const SslProtocols Tls11 = (SslProtocols)0x00000300;

    }

}

namespace System.Net

{

    using System.Security.Authentication;

    public static class SecurityProtocolTypeExtensions

    {

        public const SecurityProtocolType Tls12 = (SecurityProtocolType)SslProtocolsExtensions.Tls12;

        public const SecurityProtocolType Tls11 = (SecurityProtocolType)SslProtocolsExtensions.Tls11;

        public const SecurityProtocolType SystemDefault = (SecurityProtocolType)0;

    }

}

namespace Examples.System.Net

{

    public class WebRequestGetExample

    {

        public static void Main()

        {

            ServicePointManager.SecurityProtocol = SecurityProtocolTypeExtensions.Tls12;

            // Create a request for the URL.    

            WebRequest request = WebRequest.Create("https://bing.com");

            // If required by the server, set the credentials.

            request.Credentials = CredentialCache.DefaultCredentials;

            // Get the response.

            HttpWebResponse response = (HttpWebResponse)request.GetResponse();

            // Display the status.

            Console.WriteLine(response.StatusDescription);

            // Get the stream containing content returned by the server.

            Stream dataStream = response.GetResponseStream();

            // Open the stream using a StreamReader for easy access.

            StreamReader reader = new StreamReader(dataStream);

            // Read the content.

            string responseFromServer = reader.ReadToEnd();

            // Display the content.

            Console.WriteLine(responseFromServer);

            // Cleanup the streams and the response.

            reader.Close();

            dataStream.Close();

            response.Close();

        }

    }

}

Neither of the below KB’s are applicable to Windows 10 anniversary update, so it seems that the above code built with .NET 3.5 is unable to use TLS v1.2 included in the .NET Framework version 3.5.1.

1. https://support.microsoft.com/en-us/kb/3154518

2. https://support.microsoft.com/en-us/kb/3154520  

Root Cause/ Resolution

It's a bug on 1607 OS's, fixed via https://support.microsoft.com/en-us/kb/3201845

From https://support.microsoft.com/en-us/kb/3154518 you get to see the section "After you enable the SystemDefaultTlsVersions .NET registry key, a different behavior occurs for each version of Windows, as shown in the following table" which now have the update for Windows 10 Version 1607 and Windows Server 2016.