TLS and .net <4.6

269 views
Skip to first unread message

Demeranville, Tom

unread,
Sep 12, 2018, 12:16:21 PM9/12/18
to ORCID API Users
We've had a couple of reports from .net using members that they're having trouble connecting to https://orcid.org/oauth/token.  If you're seeing this issue, we believe that moving to TLS1.2 will fix the issue. 

Older versions of .net do not support TLS1.2 out of the box and require configuration to do so.  Microsoft's advice in this case is:

  • .NET 4.6 and above. You don’t need to do any additional work to support TLS 1.2, it’s supported by default.
  • .NET 4.5. TLS 1.2 is supported, but it’s not a default protocol. You need to opt-in to use it. The following code will make TLS 1.2 default, make sure to execute it before making a connection to secured resource:ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
  • .NET 4.0. TLS 1.2 is not supported, but if you have .NET 4.5 (or above) installed on the system then you still can opt in for TLS 1.2 even if your application framework doesn’t support it. The only problem is that SecurityProtocolType in .NET 4.0 doesn’t have an entry for TLS1.2, so we’d have to use a numerical representation of this enum value:ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;
  • .NET 3.5 or below. TLS 1.2 is not supported (*) and there is no workaround. Upgrade your application to more recent version of the framework.

From https://blogs.perficient.com/2016/04/28/tsl-1-2-and-net-support/

This is currently affecting only a small number of integrations.  Please let us know if this is having an impact on your service and we'd be happy to help.

Tom Demeranville
Technology Advocate
ORCID Inc

Pete Meyer

unread,
Sep 12, 2018, 2:48:26 PM9/12/18
to ORCID API Users
We've seen (and resolved) a similar issue with problems to https://orcid.org/oauth/token and https://sandbox.orcid/oauth/token with a java based application, so this may not be restricted to just .net.  

This was something we were able to resolve by updating the trusted certificate store used by the application server(s).  I'm not familiar enough with .net application servers to know if this would be an alternative approach to investigate if anyone runs into this problem, but the two stacks are similar enough that it seemed worth suggesting.

Best,
Pete

Will Simpson

unread,
Sep 28, 2018, 10:56:42 AM9/28/18
to ORCID API Users
We are working hard with our vendor to get older TLS versions working again on orcid.org in all regions.

As mentioned by Tom, by far the best solution is to upgrade to the latest TLS version.

However, if this is not possible in the short term, members can temporarily work around the problem by changing the token endpoint from


to


There is no need to change the authorization endpoint (the page where users grant permissions), because users' browsers will support the latest TLS. It is just backend code that may have a problem.

Regards,

Will


Will Simpson

unread,
Sep 28, 2018, 11:02:06 AM9/28/18
to ORCID API Users
Thanks for your thoughts too, Pete. Indeed, updating the trust store is needed sometimes, or updating your runtime platforms to the latest versions to get the latest certificate authorities.

In this case though, older TLS is not working sometimes on some of our edge servers in some regions. This needs to be fixed by our vendor.

Best,

Will
Reply all
Reply to author
Forward
0 new messages