Fix TLS 1.2 for CAS backchannel ticket validation

[Copilot]

WebClient.OpenRead() in CasMvc.cs uses .NET Framework 4.5's default TLS 1.0, which the CAS server no longer accepts, causing SSL handshake failures during ticket validation.

Changes

• Enforce TLS 1.2: Set ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 before the backchannel call
• Fix resource leak: Wrap WebClient and StreamReader in using statements

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
using (var webClient = new WebClient())
using (var sr = new StreamReader(webClient.OpenRead(StrCasUrl + "validate?ticket=" + ticket + "&service=" + service)))
{
    // validate response
}

Setting SecurityProtocol globally is intentional—all HTTPS connections in the app should use TLS 1.2+.

Original prompt

On CasMvc.cs, update this repo, if necessary, to use TLS 1.2 (or just latest TLS). It seems when using the CasMvc.cs file, our webclient.openread() is calling for a backchannel token and we are getting a SSL error from the server. if no update is necessary and you'd expect this to work properly deployed on a win server, then explain why

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[srkirkland]

@copilot 1. should i put the ServicePointManager.SecurityProtocol somewhere higher, like in a global startup, or keep it here in the casmvc manager?
2. is there a way to update this on the server w/o code, just say "default to 1.2"? or would that require a new push?

[Copilot]

@copilot 1. should i put the ServicePointManager.SecurityProtocol somewhere higher, like in a global startup, or keep it here in the casmvc manager?
2. is there a way to update this on the server w/o ...

1. Global startup vs CasMvc: Either works. Moving it to Application_Start() in Global.asax.cs is cleaner if you want all HTTPS calls to use TLS 1.2 from the start. Keeping it in CasMvc is fine since it only needs to be set once per app domain—subsequent calls reuse the setting. Personal preference: global startup is slightly better for clarity.

2. Server-side config without code: Yes! For .NET Framework 4.5+, you can set this via registry on the Windows Server:

   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
   "SchUseStrongCrypto"=dword:00000001
   
   [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
   "SchUseStrongCrypto"=dword:00000001
   

   This makes .NET default to TLS 1.2 without code changes. However, the code change is safer since it works regardless of server configuration and documents the intent explicitly. If you prefer the registry approach, I can revert the code change.