How Can I Determine the Negotiated TLS Version in a .NET 4.7 HTTP Request?

How to determine the negotiated TLS version?

Determining the TLS version negotiated during a web request can provide valuable insights for debugging and logging purposes.

.NET 4.7 uses TLS 1.2 by default for HTTP requests. However, it is often necessary to determine the specific TLS version actually established during the connection.

This article explores various techniques for extracting this information from the stream returned by HttpWebRequest.GetRequestStream() or HttpWebRequest.GetResponseStream().

Reflection method

Using reflection, we can access the TlsStream->SslState->SslProtocol property value. This method works for both compressed and uncompressed streams. Additionally, validation occurs when the request is initialized using request.GetRequestStream().

TcpClient Alternative

Consider using TcpClient() if it is critical to obtain protocol information before initializing the WebRequest. By establishing the connection using the same settings as the WebRequest (supported protocols and certificate verification), you can determine the TLS protocol that will be negotiated with the target server.

Secur32.dll call

The

secur32.dll -> QueryContextAttributesW() method can be used to query the connection security context of an initialized stream. However, the required context handle is not public and can only be accessed via reflection or the AuthenticatedStream class. Unfortunately, these classes are not compatible with the streams returned by WebRequest/WebResponse.

Decompression flow inspection

If the request returns a stream that has been decompressed (for example, GZIP or Deflate), the underlying TlsStream must be extracted before proceeding with the above method.

The above is the detailed content of How Can I Determine the Negotiated TLS Version in a .NET 4.7 HTTP Request?. For more information, please follow other related articles on the PHP Chinese website!