]> BizTalk 2013 R2, TLS 1.2 and SSL 3.0 🌐:aligrant.com

BizTalk 2013 R2, TLS 1.2 and SSL 3.0

Alastair Grant | Thursday 21 September 2017

SSL 3.0 has been deprecated for quite some time, and TLS 1.0 is going this way too.  TLS 1.2 is now widely supported and should be the go-to until 1.3 is finalised.

BizTalk 2013 R2 runs on .NET 4.5, which supports TLS 1.2, but it's not used by default, so outbound connections from BizTalk will be done using TLS 1.0.

SSL/TLS on Windows is controlled by "schannel", this can be tweaked to enable or disable various protocols.  You can disable support for SSL 3.0 and TLS 1.0 this way, but be sure that all your connecting systems can support it.  Just as there are an annoying number of businesses using CSVs or email as a messaging system, you can be sure that there are plenty that are still using the very broken SSL 3.0.  Disabling support in schannel means that these won't be able to connect, and although SSL 3.0 is as good as plain-text, sometimes uptime and business continuity trumps making a point on security.

The approach then is to leave the old protocols enabled but set .NET to default outgoing to 1.2 (which can fall back to any enabled protocol).  This can be done via a registry tweak:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

IIS takes care of incoming web-connections, and operates the highest version available from schannel - 1.2.  But with the older protocols still available, old clients can still connect using defunct protocols.

Be warned: Enabling old protocols makes you vulnerable to downgrade attacks and makes your communication channels insecure, ensure you work with your business partners to move to TLS 1.2 ASAP.

Update March 2018

Microsoft have now released Cumulative Update 8 for BizTalk Server 2013 R2, which includes support for TLS 1.2.

Breaking from the voyeuristic norms of the Internet, any comments can be made in private by contacting me.