How do you fix a broken .net 3.5, C# app that uses SSL to connect to an external server after a user applies PCI 3.1 standards regarding SSL 3.0 and TLS 1.0 incoming and outgoing traffic on their systems?
I wanted to get this out here before questions start coming in. I recently had a client upgrade their PCI compliance to 3.1 in which SSL 3.0 or TLS 1.0 traffic in no longer allowed in or out of their systems. Instead, TLS 1.1 and 1.2 are currently the main drivers of secure connections. If you have a .net C# application that connects an external HTTPS site or employs secure SQL connections to a server, there are a few things you need to do.
First, update your apps .net version to 4.5 or higher. .net versions before 4.5 do not have the ability by default to use TLS 1.1 and 1.2. If you have a small app and want to keep your .net 3.5, you can have clients update their PCs using this link: .net 3.5 TLS
Second, if you use .net 4.5, you will need to add a line to your code before making a secure connection to an external site. (In the case of 4.6 or higher, it is suggested that TLS 1.2 is already the default and may not need this additional code.) This code will tell your .net 4.5 app to default to TLS 1.1 or TLS 1.2 before making any attempt using other methods such as SSL 3.0.
System.Net.ServicePointManager.SecurityProtocol =
SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
I hope this helps. Here is a document from PCISecurityStandards.org describing the June 2018 deadline for 3.1 compliance: PCI 3.1 Deadline