There are several other posts about this now and they all point to enabling TLS 1.2. Anything less is unsafe.
You can do this in .NET 3.5 with a patch.
You can do this in .NET 4.0 and 4.5 with a single line of code
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; // .NET 4.5
ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072; // .NET 4.0
In .NET 4.6, it automatically uses TLS 1.2.
See here for more details:
.NET support for TLS
I'm with the Payfort Start team. We've got a page here that helps describe this issue in more detail. Essentially, your API client (the library you're using to make the HTTPS request) has to support TLS1.2. The Start API will reject any request that doesn't support TLS1.2 at a minimum.
It would appear that the WebRequest does support TLS 1.1 and 1.2, but you have to turn them on manually. You can refer to this answer for the fix.
To verify that your client supports TLS1.2, you can send a GET request from your application to https://www.howsmyssl.com/a/check and read the response.
In cURL:
> curl -X GET https://www.howsmyssl.com/a/check
Returns:
{
given_cipher_suites: [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_RC4_128_SHA",
"TLS_RSA_WITH_RC4_128_MD5",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"
],
ephemeral_keys_supported: true,
session_ticket_supported: true,
tls_compression_supported: false,
unknown_cipher_suite_supported: false,
beast_vuln: false,
able_to_detect_n_minus_one_splitting: false,
insecure_cipher_suites: {
"TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA": [
"uses keys smaller than 128 bits in its encryption"
]
},
tls_version: "TLS 1.2",
rating: "Bad"
}
Look out for the tls_version
at the end.
Best Answer
There are two possible scenario, in my case I used 2nd point.
If you are facing this issue in production environment and you can easily deploy new code to the production then you can use of below solution.
You can add below line of code before making api call,
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; // .NET 4.5
If you cannot deploy new code and you want to resolve with the same code which is present in the production, then this issue can be done by changing some configuration setting in config file. You can add either of one in your config file.
or