November 15th, 2019

Deprecating TLS 1.0 and 1.1 on NuGet.org

Karan Nandwani
Program Manager

co-authored by Scott Bommarito

At Microsoft, using the latest and secure encryption techniques is very important to us to ensure the security and privacy of our customers. TLS 1.0 and TLS 1.1, released in 1999 and 2006 respectively, are known to be vulnerable to a number of attacks including POODLE and BEAST. In the past, we removed support for SSL 3 because it was also vulnerable to attacks. For those reasons, NuGet.org will be removing support for TLS 1.0 and 1.1. This means that you will no longer be able to restore packages, upload packages, or browse NuGet.org using these outdated security protocols. The vast majority of requests that we receive using these protocols are to our deprecated V2 API, which was replaced by our V3 API in 2015. To be ready for this transition, ensure that your systems support TLS 1.2 or higher.

NuGet.org will remove support for TLS 1.0 and 1.1 in April, 2020

We realize adapting to change can take time, and we want to share our plans early. To help minimize the number of affected users, we plan to make this change in two stages:

  1. February 2020: Temporarily remove support for TLS 1.0/1.1 in 3 timezones, for 4 hours each, to ensure overlap with normal working hours across the globe
  2. April 2020: Permanently remove support for TLS 1.0/1.1

We hope that the first stage will help you identify systems that may be affected and will give you an opportunity to take action before we permanently remove support for TLS 1.0/1.1 in April, 2020. We will share more specifics, and send out reminders as we get closer.

Ensuring your system uses TLS 1.2

Operating Systems

  • All Windows Operating Systems since Windows 8 support TLS 1.2 by default. If you are experiencing connection issues (“Could not create SSL/TLS secure channel” error), please verify that TLS 1.2 is not explicitly disabled on your system:

    • The following commands should either produce “The system was unable to find the specified registry key or value” error or have a value of 1 on a system where TLS 1.2 support is enabled:

      reg query "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v Enabled /reg:32
      reg query "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v Enabled /reg:64
      
    • The following commands should either produce “The system was unable to find the specified registry key or value” error or have a value of 0 on a system where TLS 1.2 support is enabled:

      reg query "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault /reg:32
      reg query "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault /reg:64
      
    • Run the following commands to enable TLS 1.2 support if it is disabled:

      reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d 0 /f /reg:32
      reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d 0 /f /reg:64
      reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v Enabled /t REG_DWORD /d 1 /f /reg:32
      reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v Enabled /t REG_DWORD /d 1 /f /reg:64
      
  • Windows 7 requires an update installed and the following registry updates to enable TLS 1.2 support:

    reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d 0 /f /reg:32
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d 0 /f /reg:64
    
  • Windows Server 2008 supports TLS 1.2 if you install an optional Windows Update package.

  • Windows Vista reached end of support on April 2017 and does not support TLS 1.2. You should upgrade to a newer version of Windows.

Browsers

When browsing the nuget.org website, ensure that you are using the latest version of your web browser. Chrome, Edge, Internet Explorer, Firefox, and Safari have all committed to deprecating TLS 1.0 and 1.1, and the latest versions of each support TLS 1.2.

NuGet clients and PowerShell

We recommend upgrading to the latest NuGet clients (nuget.exe, dotnet.exe, the Package Manager UI in Visual Studio, Visual Studio for Mac, etc)** as well as updating your builds to use our V3 API instead of the V2 API. We’ve added many features and made many performance and reliability fixes over the years that will improve your development process. The latest versions of our clients default to your operating system’s default version of TLS, which should be TLS 1.2.

Versions of nuget.exe older than 3.4.4, however, may default to using TLS 1.0. Additionally, PowerShell also defaults to TLS 1.0. This can be fixed by changing your .NET Framework default TLS version, which is configured in your registry keys:

reg add HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 /v SystemDefaultTlsVersions /t REG_DWORD /d 1 /f /reg:64
reg add HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 /v SystemDefaultTlsVersions /t REG_DWORD /d 1 /f /reg:32

If you are using PowerShell and are writing a custom script but cannot edit your system’s registry keys, you can also set your TLS settings using ServicePointManager.SecurityProtocol:

[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bOR [Net.SecurityProtocolType]::Tls12

.NET apps

If you interact with our APIs using your own app, consider upgrading to .NET Core or .NET Framework 4.7.2 or higher. This will ensure that your app defaults to using your operating system’s default TLS version. Alternatively, you can also set your TLS settings using ServicePointManager.SecurityProtocol:

    ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12;

Take note that your app will ignore your operating system’s TLS settings if you set ServicePointManager.SecurityProtocol directly. If you explicitly disable TLS 1.2, your app will not use it. It is recommended that you do not set ServicePointManager.SecurityProtocol unless you cannot upgrade your .NET version.

Troubleshooting

If none of the above steps work and you are still having issues with TLS 1.0/1.1, there may be some other settings on your system that are preventing TLS 1.2 from being used. Here are links to additional resources on how to ensure TLS 1.2+ readiness:

Feedback

We are working to make this transition as smooth as we can. If you have any issues in this process, feel free to reach out to our Twitter handle, @nuget or email support at support@nuget.org.

Author

Karan Nandwani
Program Manager

Karan drives product management for the NuGet team at Microsoft. His team owns the NuGet client experience (nuget.exe, dotnet.exe, and the NuGet package manager for Visual Studio) as well as the NuGet.org package repository. He works closely with .NET and Visual Studio to deliver seamless end-to-end experiences. He is always available to chat about feature asks, pain-points, and how NuGet can help meet your evolving needs.

0 comments

Discussion are closed.