通过tls 1.2调用AWS C＃SDK时出错

Question

Paypal will soon imposed to use TLS 1.2 when contacting their API. This behavior already been enforced on their Sandbox.

We just been trapped by a side effect is that after invoking Paypal API any subsequent call to AWS SDK are failing.

Anybody had the same problem and found a workaround ?

Answer 1

As noted by this discussion on the AWS developer forums , at the time of this posting TLS 1.2 is not supported by the AWS SDK. Consequently, you won't be able to move to TLS 1.2 exclusively in your application until they also implement support for it.

A workaround exists where your application's communication protocol can be manually set. In the example below, ServicePointManager.SecurityProtocol is updated to enable support for TLS 1.0, TLS 1.1, and/or TLS 1.2 in the application:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

This change should allow your communication to communicate to PayPal with TLS 1.2, while falling back to older versions as necessary for communication with AWS SDK.

Notes:

• Manually setting this puts a burden of responsibility on you to periodically review this and eventually remove support for older TLS versions as they become unnecessary and/or security risks. This is the motivation for PCI-compliant APIs moving to TLS 1.2. Keep an eye on updates to the AWS SDK for .NET so that you'll be able to drop older TLS support as soon as possible.
• Tls11 and Tls12 are only available in the SecurityProtocolType enum for .NET versions 4.5+.

Further Reading:

• MSDN - ServicePointManager.SecurityProtocol Property

• Amazon S3 – frequently asked questions around disabling SSLv3 - Includes helpful discussion regarding TLS and its usage in the AWS SDK.

• How do I disable SSL fallback and use only TLS for outbound connections in .NET? (Poodle mitigation) - An excellent related question/answer with commentary on security risks related to TLS 1.0 and motivations for migration to TLS 1.2.