From 39028184d51326db92602574afaf87aa9e6f7580 Mon Sep 17 00:00:00 2001 From: Alicia Li Date: Wed, 14 Mar 2018 12:48:09 -0700 Subject: [PATCH] Alicial/net472 wcfcompatdoc (#658) * Add WCF compat doc for bug#516393 * Minor updates to address review feedbacks * Minor update to address review feedback * updates to address Ron's review feedbacks * Minor updates per Ron's review feedbacks --- ...-for-Net.Tcp-certificate-authentication.md | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 Documentation/compatibility/WCF-Improved-WCF-chain-trust-certificate-validation-for-Net.Tcp-certificate-authentication.md diff --git a/Documentation/compatibility/WCF-Improved-WCF-chain-trust-certificate-validation-for-Net.Tcp-certificate-authentication.md b/Documentation/compatibility/WCF-Improved-WCF-chain-trust-certificate-validation-for-Net.Tcp-certificate-authentication.md new file mode 100644 index 0000000..5c36dbd --- /dev/null +++ b/Documentation/compatibility/WCF-Improved-WCF-chain-trust-certificate-validation-for-Net.Tcp-certificate-authentication.md @@ -0,0 +1,33 @@ +## Improved WCF chain trust certificate validation for Net.Tcp certificate authentication + +### Scope +Minor + +### Version Introduced +4.7.2 + +### Source Analyzer Status +NotPlanned + +### Change Description +.NET Framework 4.7.2 improves chain trust certificate validation when using certificate authentication with transport security with WCF. With this improvement, client certificates that are used to authenticate to a server must be configured for client authentication. Similarly server certificates that are for the authenticating a server must be configured for server authentication. With this change, if the root certificate is disabled, the certificate chain validation fails. The same change was also made to .NET Framework 3.5 and later versions via Windows security roll-up. You can find more information [here](https://support.microsoft.com/en-us/help/4055269/security-only-update-for-net-framework-3-5-1-4-5-2-4-6-4-6-1-4-6-2-4-7). + +This change is on by default and can be turned off by a configuration setting. + +### Recommended Action + - Validate if your server and client certification has the required EKU OID. If not, update your certification. + - Validate if your root certificate is invalid. If so, update the root certificate. + - How to opt out of the change: + If you can't update the certificate, you can work around the breaking change temporarily with the following configration setting, However, opting out of the change will leave your system vulnerable to the security issue. + +```xml + + + + ``` + +### Affected APIs +* Not detectable via API analysis + +### Category +Runtime \ No newline at end of file