在旧版Windows系统上使用TLS1.2

Question

I have a Windows program written in .Net Framework 2.0 that communicates to a proprietary server app. The server was recently updated to use TLS1.2 for secure communication and my client program can't talk to it any more.

A google search turned up several sources that indicate that TLS1.2 is only supported by Window 7, Windows 2008 R2, and later systems. These sources are talking about servers, not clients, but it still sounds like I'm out of luck unless I run my client on Win7 or later - the underlying schannel.dll simply doesn't support the TLS1.2 protocol.

So my question is:

Is there a way to get my program to communicate using TLS1.2 when running on older Windows systems?

Answer 1

I doubt that you can use your current application unchanged to provide TLS1.2 (or TLS1.1) on older versions of windows. The .Net Framework uses the underlying schannel implementation of the operating system, and there is no update to this library and probably never will be for Vista or lower which support TLS1.1 or TLS1.2.

You might try to use different SSL libraries, eg OpenSSL or NSS (used by Firefox and Chrome), which are not bound by the limits schannel. There seem to be an interface for OpenSSL for .NET at http://sourceforge.net/projects/openssl-net/ , but this claims only to support up to OpenSSL 1.0.0d and thus does not support TLS1.2 yet (introduced in OpenSSL 1.0.1). So maybe there is no way in doing this with .Net.

Another thing which could be done is to setup the server to not only suport TLS1.2 but also TLS1.0. This still provides enough security in most cases (most servers out there use only TLS1.0), provided you use the right ciphers. Usually it is a simple setting on the server to support multiple TLS versions, so that it will talk TLS1.2 if possible but downgrade to TLS1.0 if the client does not support TLS1.2.