All rules
CA5364Security Enabled by default: No
Do not use deprecated security protocols
Do not use deprecated security protocols
Microsoft docsDescription
Transport Layer Security (TLS) secures communication between computers, most commonly with Hypertext Transfer Protocol Secure (HTTPS). Older protocol versions of TLS are less secure than TLS 1.2 and TLS 1.3 and are more likely to have new vulnerabilities. Avoid older protocol versions to minimize risk. For guidance on identifying and removing deprecated protocol versions, see Solving the TLS 1.0 Problem, 2nd Edition.
Cause
This rule fires when either of the following conditions are met:
- A deprecated System.Net.SecurityProtocolType value was referenced.
- An integer value representing a deprecated value was assigned to a System.Net.SecurityProtocolType variable.
Deprecated values are:
- Ssl3
- Tls
- Tls10
- Tls11
How to fix violations
Don't use deprecated TLS protocol versions.
Example
using System;
using System.Net;
public class ExampleClass
{
public void ExampleMethod()
{
// CA5364 violation
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
}
}
using System;
using System.Net;
public class ExampleClass
{
public void ExampleMethod()
{
// CA5364 violation
ServicePointManager.SecurityProtocol = (SecurityProtocolType) 768; // TLS 1.1
}
}
using System;
using System.Net;
public class TestClass
{
public void TestMethod()
{
// Let the operating system decide what TLS protocol version to use.
// See https://learn.microsoft.com/dotnet/framework/network-programming/tls
}
}When to suppress
You can suppress this warning if:
- The reference to the deprecated protocol version isn't being used to enable a deprecated version.
- You need to connect to a legacy service that can't be upgraded to use secure TLS configurations.
Your vote
Group results
0 yes 0 no
ConsensusNone (disabled)
Severity preference (yes voters)
Suggestion0
Warning0
Error0