I think I'm missing something with how TLS works, but I'm not sure what. Hopefully if I describe what happens someone can help me correct my understanding.
I have Identity Server (targeting net47) in an Azure Web App which has the "Minimum TLS Version" set 1.2.
I have a relying party hosted outside Azure that targets Net Framework 4.5. AFAIK 4.5 by default doesn't support TLS 1.2, so I was expected my relying party to stop working. However, it didn't, everything carried on as normal.
Only once we made the required registry tweaks to disable old versions of TLS (1.0 and 1.1) on the hosting box did the relying party break. "An existing connection was forcibly closed by the remote host" and "Unable to obtain configuration from [PII is hidden]".
Why do I need to disable those protocols on the relying party host? I thought the server -> azure handshake should've said "TLS 1.2" only and then because the RP is net 4.5 it would've failed?
To confirm it wasn't something else, the following got it working again:
ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12;
I've read, among others, https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/ and it seems to back up that the relying party should have stopped working as soon as TLS 1.2 as a minimum version was selected.
What am I missing?
question from:
https://stackoverflow.com/questions/65916747/azure-app-service-minimum-tls-version-need-to-make-host-registry-tweaks-too 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
