CA5361Security Enabled by default: No

Do not disable SChannel use of strong crypto

Description

Setting Switch.System.Net.DontEnableSchUseStrongCrypto to true weakens the cryptography used in outgoing Transport Layer Security (TLS) connections. Weaker cryptography can compromise the confidentiality of communication between your application and the server, making it easier for attackers to eavesdrop sensitive data. For more information, see Transport Layer Security (TLS) best practices with .NET Framework.

Cause

A System.AppContext.SetSwitch method call sets Switch.System.Net.DontEnableSchUseStrongCrypto to true.

By default, this rule analyzes the entire codebase, but this is configurable.

How to fix violations

If your application targets .NET Framework v4.6 or later, you can either remove the System.AppContext.SetSwitch method call, or set the switch's value to false.
If your application targets .NET Framework earlier than v4.6 and runs on .NET Framework v4.6 or later, set the switch's value to false.
Otherwise, refer to Transport Layer Security (TLS) best practices with .NET Framework for mitigations.

Example

using System;

public class ExampleClass
{
    public void ExampleMethod()
    {
        // CA5361 violation
        AppContext.SetSwitch("Switch.System.Net.DontEnableSchUseStrongCrypto", true);
    }
}

using System;

public class ExampleClass
{
    public void ExampleMethod()
    {
        AppContext.SetSwitch("Switch.System.Net.DontEnableSchUseStrongCrypto", false);
    }
}

When to suppress

You can suppress this warning if you need to connect to a legacy service that can't be upgraded to use secure TLS configurations.

Your vote

Join a group to vote

Group results

0 yes 0 no

ConsensusNone (disabled)

Severity preference (yes voters)

Suggestion0

Warning0

Error0