On March 27, 2018, RSA SaaS Operations announced the TLS 1.0/1.1 protocols will be deprecated starting May 6, 2018, and leaving TLS 1.2. This change may impact processes using the Archer Web Services API and REST API. Any custom applications/integrations developed with .NET Framework 4.5 or older may not have the TLS 1.2 protocol enabled and will not be able to connect successfully after TLS 1.0/1.1 is deprecated.
The information below also applies to customers not using RSA Archer Hosting Services, but have disabled TLS 1.0/1.1 in their Archer environments.
The following error messages can occur when custom applications can’t connect because TLS 1.2 is the only protocol enabled:
- The request was aborted: Could not create SSL/TLS secure channel.
- An error occurred while sending the request.
- The underlying connection was closed: An unexpected error occurred on a send.
- Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
To correct the issue and prevent possible issues, there are a few options:
- Recompile the code with .NET 4.6 or higher
- Modify code to use TLS 1.2 as long as the client computer has .NET 4.6 or higher installed
- For non-SaaS customers, registry changes on web server can force .NET 4.0 to allow TLS 1.2. Check out the comments at end of this page.
If option 2 is chosen, below are several code snippets in C#, PowerShell, and VB.NET that may be helpful demonstrating how to use TLS 1.2 with a .NET Framework 4.0 application.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
[System.Net.ServicePointManager]::SecurityProtocol = @("Tls12","Tls11","Tls","Ssl3")
ServicePointManager.SecurityProtocol = (ServicePointManager.SecurityProtocol Or CType(3072, SecurityProtocolType))
ServicePointManager.SecurityProtocol = CType(48, SecurityProtocolType) Or CType(192, SecurityProtocolType) Or CType(768, SecurityProtocolType) Or CType(3072, SecurityProtocolType)
''' Enable SSL3 and TLS 1.0, 1.1, 1.2 which is needed for .NET 4.0 apps. Starting with 4.6, it's on by default.
''' Ssl3 = 48
''' Tls 1.0 = 192
''' Tls 1.1 = 768
''' Tls 1.2 = 3072
Public Sub EnableSslProtocols()
Debug.Print("Runtime: " + System.Diagnostics.FileVersionInfo.GetVersionInfo(GetType(System.Int32).Assembly.Location).ProductVersion)
Debug.Print("Enabled protocols before: " + ServicePointManager.SecurityProtocol.ToString)
Debug.Print("Available protocols: ")
' Loop thru the available protocols and enable them. Hopefully gets future TLS versions like 1.3.
For Each protocol As SecurityProtocolType In System.Enum.GetValues(GetType(SecurityProtocolType))
ServicePointManager.SecurityProtocol = ServicePointManager.SecurityProtocol Or CType(protocol.GetHashCode, SecurityProtocolType)
Debug.Print("Enabled protocols after: " + ServicePointManager.SecurityProtocol.ToString)
Output of the Debug.Print lines from the function above:
Enabled protocols before: Ssl3, Tls
Enabled protocols after: Ssl3, Tls, Tls11, Tls12
Other online resources that may be helpful:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.