Enabling strong cryptography for all .Net applications

On my previous post 'Disabling cryptographic protocols for PCI compliance (focused on SSL 3.0 and TLS 1.0)' I mentioned how can you disable incoming SSL 3.0 and TLS 1.0 connections, by tweaking schannel settings in the Windows registry. Along with it, I also mentioned how to tweak ServicePointManager security settings to modify what cryptographic protocols shall be used for outgoing connections. On this post, I'm going to demonstrate another possible solution for this problem by modifying strong cryptography settings of all .Net based applications.

As seen in my previous post, ServicePointManager changes are applied per AppDomain, so if you have multiple applications hosted in different domains, you will have to manage ServicePointManager for each one of them. Depending on the use case, this might not be ideal. To globally modify the available cryptographic protocols for all .Net applications (versions 4 and above), just enable 'strong cryptography' on the Windows registry. If strong cryptography is disabled, only SSL 3.0 and TLS 1.0 will be used for secure connections. Otherwise TLS 1.0, TLS 1.1 and TLS 1.2 will be used.

To verify how this registry setting is being used, just dig into .Net source code. As you can see, when strong cryptography is disabled, the default protocols used for SslStreams are SSL 3.0 and TLS 1.0.

// extracted from .Net source code, link above
private SslProtocols DefaultProtocols()
{
  SslProtocols protocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;
  if (ServicePointManager.DisableStrongCrypto)
  {
    protocols = SslProtocols.Tls | SslProtocols.Ssl3;
  }

  return protocols;
} 

Following ServicePointManager.DisableStrongCrypto implementation we can see how this flag gets his value from 'SchUseStrongCrypto' property set in the Windows registry ('HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319: SchUseStrongCrypto'). If this registry setting does not exist, in .Net version 4.5.2 and below the value will be set to 'True', while in .Net 4.6.1 and above will be set to 'False'. Given that, if you just install .Net 4.6.1 and do not change strong cryptography Windows registry property, SSL 3.0 will be disabled and TLS 1.0, TLS 1.1 and TLS 1.2 will be used. The opposite happens for all version 4 of .Net, below 4.6.2.

Anyway, if you want to make sure strong cryptography is enabled, just run the following PowerShell script with elevated privileges.

# set strong cryptography on 64 bit .Net Framework (version 4 and above)
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord


# set strong cryptography on 32 bit .Net Framework (version 4 and above)
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord 

Security