TLS 1.3 is out and its time to take note and plan the retirement of TLS 1.2.
To make this change should be straight forward for .net users:
- Upgrade your solutions and projects to .Net Framework 4.7.1 or later
- If you have stipulated TLS 1.2 in your code any where change it to TLS 1.3
It is also important for PEN testers to take note, at some point TLS 1.2 will be considered insecure.
In this article Microsoft covers all the changes. They suggest that you do not hard code your TLS versions in your application but suggest that you allow the software to use whatever the Os is configured for.
This is a double edged sword. If the OS is not secure then neither is your software. If you stipulate the .net version and don’t maintain it over time your product will become insecure.
Personally, I prefer to direct the developers to hard code the TLS version to use.
- If the Os is not secure it will cause your software not to work which will result in a support call after which they will upgrade their Server OS.
- If the product is not maintained over a long period of time and the Os out grows your application it will also result in an error which I believe is important for the client to know.
I guess you decide, what you prefer to do.