TLS 1.2 support
Since SSL is considered an outdated technology and may be subject to security vulnerabilities in the future, it is strongly recommended to use TLS v1.1 or newer if possible.
Many software vendors and web services have decided to follow the latest industry security standards and upgrade their information sharing protocol to the latest version – TLS v1.2. A few months ago PayPal announced several security-related updates – an upgrade to TLS v1.2 is one of them.
How can you keep your integrations up to date?
If your integrations use connections to services that require the TLS v1.2 protocol, you should update your environment. The steps needed to keep your environment up-to-date depend on the .NET framework that you use.
.NET framework 4.6 or higher (supported in Kentico 9)
No steps are needed. .NET 4.6 or newer is fully compatible with TLS v1.1 and TLS v1.2 by default.
.NET framework 4.5 to .NET framework 4.5.2 (supported in Kentico 8 – Kentico 9)
These versions of .NET do not enable TLS v1.1 and TLS v1.2 by default, but you can enable it in your solution.
Code example
In .NET applications, you can enable specific versions of the TLS protocol by setting the System.Net.ServicePointManager.SecurityProtocol property. The easiest way to achieve this in Kentico is to create a custom module and set the security protocol during the application initialization:
- Create a new project in your solution, e.g. TlsSupport
- Create a new class, e.g. TlsFixModule.cs
- Set the security protocol you want to enable in the custom module’s OnPreInit() method.
Here is an example of the TlsFixModule class:
using System.Net;
using CMS;
using CMS.DataEngine;
[assembly: AssemblyDiscoverable]
[assembly: RegisterModule(typeof(TlsSupport.TlsFixModule))]
namespace TlsSupport
{
internal class TlsFixModule : Module
{
public TlsFixModule()
: base("Custom.TlsFixModule")
{
}
protected override void OnPreInit()
{
base.OnPreInit();
// Specify the protocols you want to use. In this case TLS1 and TLS2 protocols will be accepted.
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
}
}
}
.NET framework 4.0 (supported in Kentico 7 and Kentico 8)
To keep your integrations compatible with the latest standards, it is recommended to upgrade to the latest .NET framework version and Kentico version.
.NET framework 3.5 and below (supported in Kentico 7)
These .NET versions are not compatible with TLS v1.1 or higher. To keep your integrations compatible with the latest standards, it is recommended to upgrade to the latest .NET framework version and Kentico version.
Test if the secure connection works
To make sure your integrations are able to create a secure connection with 3rd parties, e.g. PayPal, you can make testing requests to the https://tlstest.paypal.com/ domain. If your connection is established using TLS v1.2, you will see the message “Paypal_Connection_OK”, otherwise an exception will be thrown.