tls-1-x-by-default-passes-sch-send-aux-record-flag-to-the-underlying-schannel-api.md

TLS 1.x by default passes the SCH_SEND_AUX_RECORD flag to the underlying SCHANNEL API

Scope

Edge

Version Introduced

4.6

Source Analyzer Status

NotPlanned

Change Description

When using TLS 1.x, the .NET Framework relies on the underlying Windows SCHANNEL API. Starting with .NET Framework 4.6, the SCH_SEND_AUX_RECORD flag is passed by default to SCHANNEL. This causes SCHANNEL to split data to be encrypted into two separate records, the first as a single byte and the second as n-1 bytes.

In rare cases, this breaks communication between clients and existing servers that make the assumption that the data resides in a single record.

• Quirked
• Build-time break

Recommended Action

If this change breaks communication with an existing server, you can disable sending the SCH_SEND_AUX_RECORD flag and restore the previous behavior of not splitting data into separate records by adding the following switch to the <AppContextSwitchOverrides> element in the <runtime> section of your app configuration file:

<runtime>
   <AppContextSwitchOverrides   
          value="Switch.System.Net.DontEnableSchSendAuxRecord=true" /> 
</runtime>

Important

This setting is provided for backward compatibility only. Its use is otherwise not recommended.

Affected APIs

• T:System.Net.Security.SslStream
• T:System.Net.ServicePointManager
• T:System.Net.Http.HttpClient
• T:System.Net.Mail.SmtpClient
• T:System.Net.HttpWebRequest
• T:System.Net.FtpWebRequest

Category

Networking