On my previous post 'Disabling cryptographic protocols for PCI compliance (focused on SSL 3.0 and TLS 1.0)' I mentioned how can you disable incoming SSL 3.0 and TLS 1.0 connections, by tweaking schannel settings in the Windows registry. Along with it, I also mentioned how to tweak ServicePointManager security settings to modify what cryptographic protocols shall be used for outgoing connections. On this post, I'm going to demonstrate another possible solution for this problem by modifying strong cryptography settings of all .Net based applications.
MSDN has a ton of information about this topic, from database setup to SqlClient configuration, however if you are fairly new to this topic you might get overwhelmed with all the available information. My goal for this blog post is to simply the idea behind this concept so anybody can understand the basics. Just keep in mind that the Network setup can be far more complex, but the fundamentals will be the same.
PCI DSS (Payment Card Industry, Data Security Standard) requires that cryptographic protocols with known vulnerabilities, must be disabled (recently introduced in revision 3.1). This includes SSL 2.0, SSL 3.0 and TLS 1.0, meaning that after June of 2016, any environment supporting those protocols will automatically fail a PCI audit. At the time of this writing, only TLS 1.1 and TLS 1.2 should be enabled (TLS 1.3 still in draft phase).