In this short post, I will show how to use TLS 1.2 in ASP.NET Core 2.0 and the above version.
Why TLS 1.2 ?
Client-Server applications use the TLS protocol to communicate across a network in a way designed to prevent eavesdropping and tampering. Since applications can communicate either with or without TLS (or SSL), it is necessary for the client to indicate to the server the setup of a TLS connection. Read more on Transport Layer Security
Encryption protocols like Transport Layer Security (TLS), Secure Sockets Layer (SSL) are intended to keep data secure when being transferred over a network.
Applying fix to use TTLS 1.2 in ASP.NET Core 2.0
In the Program.cs file, use the below code to configure the TLS 1.2.
public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.UseKestrel(opt =>
{
opt.AddServerHeader = false;
opt.ConfigureHttpsDefaults(s =>
{
s.SslProtocols = SslProtocols.Tls12 ;
});
})
.ConfigureLogging(builder =>
{
builder.ClearProviders();
builder.AddSerilog();
})
.UseStartup();
Though you can configure TLS 1.2 in Web applications, it will be a good idea to force the webserver to use the minimum security level of TLS 1.2.
There is a good article in MSDN How to enable TLS 1.2
Though this solution could protect the application to support TLS 1.2, the right way of implementing TLS 1.2 and above is to disable the lower version of TLS in the webserver.
The right way of TLS implementation
How to Enable/Disable TLS 1.0, 1.1 and 1.2 in Windows Server using IISCrypto tool
Related Post
You might be interested in the below security-related post, take a look.
- How to remove the server header from ASP.NET Core 3.1
- How to apply various Security Feature in ASP.NET Core application
Conclusion
In this post, I showed how to use TLS 1.2 in ASP.NET Core 2.0. I also suggested applying a fix in the webserver to support only TLS 1.2 and above versions. That’s all from this post. If you have any questions or just want to chat with me, feel free to leave a comment below.