Determining the Negotiated TLS Version in .NET Applications

.NET 4.7 defaults to TLS 1.2 for HTTP requests; however, the actual TLS version used during connection establishment can vary. This guide outlines two methods for determining the negotiated TLS version.

Method 1: Reflection

This technique leverages reflection to access internal properties and fields to obtain the SSL protocol version. Note that this relies on internal APIs and might change with future .NET updates.

using System.IO.Compression;
using System.Net;
using System.Net.Security;
using System.Reflection;
using System.Security.Authentication;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;

// ... other code ...

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | 
                                       SecurityProtocolType.Tls11 | 
                                       SecurityProtocolType.Tls12 | 
                                       SecurityProtocolType.Tls13;

// ... other code ...

Uri requestUri = new Uri("https://somesite.com");
var request = WebRequest.CreateHttp(requestUri);

// ... other code ...

using (var requestStream = request.GetRequestStream()) {
    // Request stream validated; now extract SSL protocol
    SslProtocols sslProtocol = ExtractSslProtocol(requestStream);
    if (sslProtocol != SslProtocols.None) {
        // Process the sslProtocol value
    }
}

// ... ExtractSslProtocol function (implementation would be provided here) ...

Method 2: Secure Connection Context Attributes (Advanced)

This method accesses connection context attributes via the secur32.dll library. This approach involves working with non-public handles and structures, making it less portable and potentially more complex. (Detailed implementation omitted due to complexity and potential instability.)

Important Considerations:

• .NET Version: TLS 1.3 support necessitates .NET Framework 4.8 or later, or .NET Core 3.0 .
• RemoteCertificateValidationCallback: This callback offers insights into the security protocols employed, aiding in TLS version identification.
• TcpClient: Using TcpClient allows retrieving TLS information before WebRequest initialization, enabling proactive TLS version determination.

This information helps developers understand and manage the security protocols used by their .NET applications. Remember to carefully consider the implications and potential risks associated with using reflection and interacting with unmanaged libraries.