Question for a specific scenario

[guzelonur]

First of all, this project is very nice and neat as it describes the such problem by defining the big TLS "chaos" between old .NET programs, OSes and newest secure servers.

However I searched many resources including stackoverflow and this one and found no definite answer to my question.

Issue; It is known that Windows 7 SP1 supports both TLS 1.2 and 1.1 out of the box but they are not enabled. And Microsoft support articles and docs dictate that for example TLS 1.2 can easily be enabled for Schannel-level by tweaking the registy mentioned in your projects "Schannel Registry Keys", just like setting the required values of this key:

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client

Thus the question is, if we have .NET 4.0 on Windows 7 SP1, can't we simply enable TLS 1.2 in our apps by default (with/without code changes of ServicePointManager) by making such system-wide registry change above WITHOUT requring to install .NET 4.6 (or .NET 4.5) as it is a global Schannel registry tweak?

Is it still and "really" required to install .NET 4.6 (some articles say 4.5) along with existing .NET 4.0 environment even we do all the necessary registry changes?

Best regards.

[mmercurio]

Apologies for the very late. This project hasn't seen much action in recent years.

Thus the question is, if we have .NET 4.0 on Windows 7 SP1, can't we simply enable TLS 1.2 in our apps by default (with/without code changes of ServicePointManager) by making such system-wide registry change above WITHOUT requring to install .NET 4.6 (or .NET 4.5) as it is a global Schannel registry tweak?

It's been a while since I looked at this, but I believe it is possible. See this Stack Overflow thread for more details with answers provided both for enabling via registry and via code.

Is it still and "really" required to install .NET 4.6 (some articles say 4.5) along with existing .NET 4.0 environment even we do all the necessary registry changes?

It is possible to use .NET 4.5. However, iirc, using .NET 4.5 would require application code changes to explicitly set TLS 1.2.

The reasons for choosing .NET 4.6 at the time and finding a solution that did not require code changes was done specifically to minimize updates to clients' systems and other vendors' (i.e., third-party) software already installed on those systems. These motivations and other potential solutions (e.g., NARTAC's IIS Crypto) were highlight in this blog post, which was long ago taken down and now only publicly available via Wayback Machine:
https://web.archive.org/web/20180324130113/https://blog.thelevelup.com/pci-security-is-your-restaurant-ready/