|
Ming Chao
Posts: 30
Joined: 2019-01-23
|
Hi,
As TLS 1.0/1.1 becomes globally deprecated, my firm is trying to upgrade our project's target framework to .Net Framework v4.7.2. It should use the highest TLS version available in your system as recommended by Microsoft; however TLS1.0 is still being used when testing our Excel addin app from a Windows 10 test machine after we upgraded the project to v4.7.2.
To investigate the issue further, I've created a test console app and a new addin project that only execute the code shown below and confirmed the console app used TLS1.2 by default whereas the addin project still used TLS1.0. I also searched the forum and there's an old forum post described a similar issue. This seems to be an existing issue with addin-express framework.
Is this still an existing issue in the newest version of addin framework? Is there a plan to upgrade the framework to which ADX is compiled to v4.7.2 or higher?
Code executed from Console app's main method and addin's AddinInitialize event handler:
var task = (new HttpClient()).GetStringAsync("https://www.example.com");
task.Wait();
Another forum post described a similar issue:
https://www.add-in-express.com/forum/read.php?PAGEN_1=1&FID=5&TID=14730#nav_start
Microsoft's recommendation on TLS1.2:
https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#configuring-security-via-appcontext-switches
Article about TLS1.0/1.1 deprecated:
https://portswigger.net/daily-swig/tls-1-0-1-1-end-of-life-countdown-heads-into-the-danger-zone |
|
Posted 10 Mar, 2020 10:51:22
|
|
Top
|
|
Andrei Smolin
Add-in Express team
Posts: 18825
Joined: 2006-05-11
|
Hello Ming,
I can't explain what exactly causes this issue; most probably, this relates to Add-in Express using .NET 2.0 *and* to the fact that add-ins aren't usual .NET applications (since they load in a different way, via Hosting API). In fact I don't understand these things in a degree required for explaining them.
You can try this approach. In the constructor of the add-in module set:
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.SystemDefault;
This value is recommended at https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls.
After that check if TLS1.2 is used. If not, try to specify set System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12.
Andrei Smolin
Add-in Express Team Leader |
|
Posted 11 Mar, 2020 09:24:41
|
|
Top
|
|
Ming Chao
Posts: 30
Joined: 2019-01-23
|
Thank you for your help Andrei. It seems explicitly define to TLS1.2 is the only workaround for now. |
|
Posted 12 Mar, 2020 08:07:05
|
|
Top
|
|
Andrei Smolin
Add-in Express team
Posts: 18825
Joined: 2006-05-11
|
Hello Ming,
Thank you for sharing your findings with the forum readers!
Andrei Smolin
Add-in Express Team Leader |
|
Posted 12 Mar, 2020 08:23:22
|
|
Top
|
|
Ming Chao
Posts: 30
Joined: 2019-01-23
|
Hi Andrei,
Is there a plan on upgrading the framework that the version of TLS being used will be delegate to OS as older TLS version causes a major security concerns and hard coded ServicePointManager.SecurityProtocol is not recommended? |
|
Posted 12 Mar, 2020 11:43:08
|
|
Top
|
|
Andrei Smolin
Add-in Express team
Posts: 18825
Joined: 2006-05-11
|
Hello Ming,
I've found that a VSTO add-in demonstrates the same behavior and googled out this page: use Ctrl+F to find "Excel" on it - https://github.com/dotnet/docs/issues/4675 on gthub/dotnet/docs.
Andrei Smolin
Add-in Express Team Leader |
|
Posted 13 Mar, 2020 04:30:48
|
|
Top
|
|
Ming Chao
Posts: 30
Joined: 2019-01-23
|
Thank you Andrei for looking into this. Defining the settings in runtime allows to set ServicePointManager.SecurityProtocol to SystemDefault which uses TLS 1.2.
For document purpose, it will not work if defining the same settings in App.config file. |
|
Posted 17 Mar, 2020 10:33:31
|
|
Top
|
|
Andrei Smolin
Add-in Express team
Posts: 18825
Joined: 2006-05-11
|
Hello Ming,
Thank you! I suppose it should work if you define it in excel.exe.config.
Andrei Smolin
Add-in Express Team Leader |
|
Posted 18 Mar, 2020 01:30:20
|
|
Top
|
|
Andrei Smolin
Add-in Express team
Posts: 18825
Joined: 2006-05-11
|
Hello All,
I've reopened this topic to post an update that I should have posted a while ago:
You can specify the TLS used right in the constructor of the ADXClickOnceModule/ADXClickTwiceModule (you need to add them to your project) or in the constructor of the add-in module:
ServicePointManager.SecurityProtocol =
SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
If you have no SecurityProtocolType.Tls11 and/or SecurityProtocolType.Tls12 declared in the .NET Framework version you are using, use numeric values:
ServicePointManager.SecurityProtocol =
SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls
| (SecurityProtocolType)768 /*Tls 1.1*/
| (SecurityProtocolType)3072 /*Tls 1.2*/
| (SecurityProtocolType)12288 /*Tls 1.3*/;
Andrei Smolin
Add-in Express Team Leader |
|
Posted 01 Dec, 2020 06:07:24
|
|
Top
|
|