SQL Server CLR method failing due to TLS 1.0 shutdown

Question

I have an old CLR assembly that was using .Net 2 and when our TLS 1.0 connections were shut down for security reasons, the calls I was making out of the assembly (rest posts to https end point) we being returned with

The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Authentication failed because the remote party has closed the transport stream.

We figured we needed to upgrade the assembly to use .Net 4 (specifically 4.5.2) to get it to use TLS 1.1 which is still active. I upgraded the project and assembly but am still getting that message.

Is there something specific I need to do in SQL Server or in OS to force the TLS 1.1 connection?

Answer 1

If you are still getting that error then it is possible that the requirement for the connection is actually TLS 1.2 and not 1.1, and 1.2 does not become the default until .NET Framework version 4.6. So, you can either try to compile with a target framework version of 4.6, or you can force the TLS version to use 1.2 (or support both 1.1 and 1.2) by setting the SecurityProtocol property of the ServicePointManager class. There are enum values for:

• SecurityProtocolType.Tls12
• SecurityProtocolType.Tls11

However, depending on which version of the .NET Framework you are using, those values might not yet have been added to the enum. But that won't matter since you can just specify the numerical value that the enum value translates to:

• (SecurityProtocolType)3072 for TLS 1.2
• (SecurityProtocolType)768 for TLS 1.1

It appears that there might also be a registry setting to force the TLS version if your code is not overriding via setting ServicePointManager.SecurityProtocol.

I think for my SQL# project I used a static class constructor for the main class that contains the SQLCLR methods that sets ServicePointManager.SecurityProtocol once upon being loaded. And the enum is a "HasFlags" enum, so you can specify multiple versions, such as:

ServicePointManager.SecurityProtocol =
    SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

or possibly:

ServicePointManager.SecurityProtocol =
    SecurityProtocolType.Tls11 | (SecurityProtocolType)3072;

Please also see:

• TLS 1.2 and .NET Support: How to Avoid Connection Errors
• Support for TLS System Default Versions included in the .NET Framework 3.5 on Windows Server 2012