AWS Developer Blog

Upgrade AWS SDK for .NET for latest TLS Protocols

If your application is using .NET Framework 3.5 or 4.5 you should update to version 3.3.22.0 or later of AWSSDK.Core. This ensures you are using the latest HTTPS protocols and can communicate with newer AWS services.

Background

A growing trend across the internet is for HTTPS services to only accept connections using newer encryption protocols and refusing support for older protocols. This trend is true at AWS as well, and many of our services currently support only newer encryption protocols. If you’re using older versions of the .NET Framework, this can affect your ability to access AWS services with the AWS SDK for .NET.

When a connection is made over HTTPS a handshake is made between the client and the service. The client tells the service what protocols it understands and the service responds back, agreeing to talk to the latest supported protocol that they both support. Currently there are four protocols that .NET supports: SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2. A new TLS 1.3 version was recently approved and in the future we can expect languages and platforms to start adding support for it.

To help improve internet security, support for SSL 3.0 and TLS 1.0 are being dropped from many internet services, and new AWS services will not support these protocols.

Impact to the .NET Framework

Version 4.5 and earlier versions of the .NET Framework were released before TLS 1.1 existed, so by default, when the HTTP clients in these versions attempt to make an HTTPS connection, they tell the service they only support SSL 3.0 and TLS 1.0. In fact, if you look at the documentation of the System.Net.SecurityProtocolType enum in the 4.5 version of the .NET Framework, you can see it only lists Ssl3 and Tls. Notice Tls doesn’t have a version number because only one existed at the time. Later versions of the framework added the Tls11 and Tls12 members. What this enum unintentionally did was restrict the supported protocols to the ones known at the time of that release of the .NET Framework, regardless of the underlying OS being upgraded to support newer TLS versions.

For the 4.6 release of the .NET Framework new enum values were added for TLS 1.1 and TLS 1.2. In .NET Framework 4.7 the enum protocol was improved by having a new Default value, which puts the control into what protocols are supported to whatever the underlying OS supports. So as .NET Framework 4.7 ages, it can still use newer protocols automatically when the underlying OS is updated.

AWS SDK for .NET

In version 3.3.22.0 of AWSSDK.Core we made a change to force newer TLS protocols into the list of client acceptable protocols, even in older versions of the .NET Framework, assuming the underlying OS has been updated to support the newer TLS versions. If you are using .NET Framework 4.5 or .NET Framework 3.5, be sure to upgrade to at least this version of AWSSDK.Core. Even if you’re not using a newer AWS service in your application, it’s still important to upgrade so that when you connect to existing services, like Amazon S3 or Amazon SQS, you’re using the latest secure protocols for communicating over the internet.

AWS Tools for PowerShell

The AWS Tools for PowerShell are built on top of the AWS SDK for .NET. To maximize their compatibility it uses the .NET Framework 3.5 version of the SDK. Version 3.3.270.0 of the AWSPowerShell module is built with the newer version of AWSSDK.Core, which has this fix to force new TLS protocols when available.

Conclusion

For any issues with the AWS SDK for .NET, or feedback for the SDK, reach out to us on our GitHub repository. We also encourage developers as they upgrade their dependencies to look at upgrading their version of the .NET Framework. Although we haven’t started work yet on a new major version of the AWS SDK for .NET, when we do we will be dropping support for .NET Framework 3.5. This is because it was released back in 2007, and support for that version of the .NET Framework has dwindled considerably over the years.