SHARE:

.NET 10: Automatic support of TLS 1.3 on MacOS

2026-01-12 by anthonygiretti

Introduction

With .NET 10, macOS developers get a nice upgrade for free: TLS 1.3 is automatically used when available for outbound HTTPS connections without changing a single line of code.

In this post, we’ll quickly explain what that means, why it matters, and how you can validate it with a minimal HttpClient example.

Why TLS 1.3 matters (quick recap)

TLS (Transport Layer Security) is the protocol behind HTTPS. TLS 1.3 is the modern version and generally provides:

  • Faster handshakes (less latency)
  • Stronger default cryptography choices
  • Fewer legacy options and better security posture

From an application standpoint, you usually don’t “enable TLS 1.3” yourself. You rely on the OS and the underlying TLS stack to negotiate the best protocol supported by both client and server.

What changes with .NET 10 on macOS

On macOS, .NET uses Apple’s native TLS stack (Secure Transport / Network.framework depending on the implementation). With .NET 10, the runtime will automatically negotiate TLS 1.3 when macOS supports it and the remote endpoint offers it.

The key point is this:

  • You keep writing regular HttpClient code.
  • The runtime/OS negotiates the best protocol.
  • TLS 1.3 becomes the default outcome whenever possible.

No flags, no special handlers, no custom socket settings for the common case.

Exemple

That’s it.

In most real-world apps API clients, microservices calling internal endpoints, background jobs scraping pages, this is exactly what you want: modern TLS negotiation without any application-level complexity.

How to verify which TLS version was negotiated

If you want to confirm the negotiated protocol (useful for demos, diagnostics, or compliance checks), you typically verify it outside the code:

  • Capture traffic with a TLS-capable tool (e.g., packet inspection / OS logging).
  • Use a test endpoint you control that reports negotiated TLS version.
  • Check server-side logs/telemetry (some reverse proxies can log the TLS protocol version).

In other words: negotiation happens below your application code, so validation is usually done at the network boundary.

Notes and caveats

A few important details:

  • TLS negotiation depends on both sides:
    • Your macOS version must support TLS 1.3.
    • The server must support TLS 1.3.
  • If the server only supports TLS 1.2, the connection will fall back to TLS 1.2 automatically.
  • This is primarily relevant to outbound HTTPS (your client calls). Inbound TLS (Kestrel) is a different story depending on hosting and termination (direct Kestrel vs reverse proxy vs managed ingress).

Conclusion

.NET 10 on macOS makes modern security the default: TLS 1.3 is negotiated automatically whenever possible, and your existing HttpClient code benefits immediately.

It’s one of those improvements that you don’t feel day-to-day until you look at the handshake, latency, or compliance box it checks.

Happy coding!

Written by

anthonygiretti

Anthony is a specialist in Web technologies (14 years of experience), in particular Microsoft .NET and learns the Cloud Azure platform. He has received twice the Microsoft MVP award and he is also certified Microsoft MCSD and Azure Fundamentals.