Security Protocol Support¶
Vinyl is a .Net application. In .Net, the supported SSL and TLS security protocols are global settings. They must be set at startup, before making any HTTP connections. The default security protocols supported vary by Vinyl version.
| Version | SSL 3.0 | TLS 1.0 | TLS 1.1 | TLS 1.2 |
|---|---|---|---|---|
| 1.0 | Yes | Yes | No | No |
| 1.1 to 1.5 | No | No | Yes | Yes |
| 1.6 and up | No | Yes | Yes | Yes |
Developers can override the default security providers. To do so, edit the AppSettings.config file:
{Vinyl}\Config\AppSettings.config
Add a SecurityProtocols key with a comma delimited list of values. The values must correspond to member names of the SecurityProtocolType enumeration. For example:
<?xml version="1.0" encoding="utf-8" ?>
<appSettings>
<add key="SecurityProtocols" value="Ssl3, Tls, Tls11, Tls12" />
</appSettings>
For more on customizing the AppSettings.config file, see Custom .Net configuration.
Some security protocols are inherently insecure and should be avoided. In particular, SSL 3.0 is vulnerable to the POODLE attack.