如何为Amazon Simple Email Service启用TLS 1.1/1.2

Question

多年来，我一直在使用亚马逊-SES成功发送EMail。但是，出于PCI合规性的原因，我们一直在尝试禁用TLS 1.0：

System.Net.ServicePointManager.SecurityProtocol = 
    SecurityProtocolType.Tls11 | 
    SecurityProtocolType.Tls12;

但是，这会导致在尝试发送EMail时出现异常：

AuthenticationException:
    A call to SSPI failed, see inner exception.
    The client and server cannot communicate, because they do not 
    possess a common algorithm

只要我重新添加SecurityProtocolType.Tls，就会再次成功。在.NET 4.5和4.6中都会发生这种情况。使用AWSSDK-SimpleEmail (v3.1.1.1)和AWSSDK-Core Runtime (v3.1.2.1)

Answer 1

回答我自己的问题：

我们让TLS 1.0客户端处于启用状态，而TLS 1.0服务器处于禁用状态。这使得SSLLabs和PCI检查变得很方便，同时仍然允许我们连接到Amazon SES发送电子邮件。下面是我们使用的代码：

    private static Tuple<string, string, bool>[] s_ProtocolConfig = 
    {
        Tuple.Create("SSL 2.0", "client", false),
        Tuple.Create("SSL 2.0", "server", false),
        Tuple.Create("SSL 3.0", "client", false),
        Tuple.Create("SSL 3.0", "server", false),
        Tuple.Create("TLS 1.0", "client", true),    // Leave this to TRUE, so that we can send outgoing email.
        Tuple.Create("TLS 1.0", "server", false),   // Change this to disable incoming 1.0 TLS requests
        Tuple.Create("TLS 1.1", "client", true),
        Tuple.Create("TLS 1.1", "server", true),
        Tuple.Create("TLS 1.2", "client", true),
        Tuple.Create("TLS 1.2", "server", true),
    };

    /// <summary>
    /// Disable/Enable Protocole
    /// require a reboot if the values are changed.
    /// </summary>
    private static bool ConfigureProtocols(IEnumerable<Tuple<string, string, bool>> config)
    {
        bool rebootRequired = false;
        using (RegistryKey protocols = Registry.LocalMachine.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", true))
        {
            foreach (Tuple<string, string, bool> proto in config)
            {
                string protocol = proto.Item1;
                string clientServer = proto.Item2;
                bool enabled = proto.Item3;

                using (RegistryKey group = protocols.CreateSubKey(protocol))
                {
                    bool added = group.OpenSubKey(clientServer) == null;

                    using (RegistryKey newKey = group.CreateSubKey(clientServer))
                    {
                        bool updated = EnsureValue(newKey, "disabledbydefault", !enabled);
                        updated |= EnsureValue(newKey, "enabled", enabled);
                        newKey.Close();

                        if (!added && updated)
                        {
                            // the values have changed. Reboot is required to have them be reflected
                            rebootRequired = true;
                        }
                        if (added && !enabled)
                        {
                            // lack of added key is the same as enabled.
                            // therefore was enabled, but we need disabled = reboot required
                            rebootRequired = true;
                        }
                    }
                    group.Close();
                }
            }
            protocols.Close();
        }
        return rebootRequired;
    }

    private static bool EnsureValue(RegistryKey key, string name, bool value)
    {
        object currentValue = key.GetValue(name);
        object expectedValue = value ? 1 : 0;
        if (currentValue == null || !object.Equals(currentValue, expectedValue))
        {
            key.SetValue(name, expectedValue);
            return true;
        }
        return false;
    }