C# HttpWebRequest verify/specify which cipher used

Question

I am working on a .NET 4.0 application that needs to make connections to a website server. I've been getting the following error on and off periodically (pattern appears to start around lunch and happens in clusters) "The underlying connection was closed. An unexpected error occurred on a send." Everything I've seen relating to this error is pointing me towards a TLS error. I used SSLLabs to determine that the remote server is using TLS 1.1 and TLS 1.2, but without only a few ciphers available. I suspect that the connection being created by the application is occasionally trying to use a cipher that isn't supported, and this error is being hit.

Because of the sensitivity of the production environment and the semi-randomness of the timing of this error, I'm not able to run a wireshark or Fiddler test on the server to determine what cipher is being used during failures. I've verified the application IS using TLS 1.2, however.

Is there any way to access from the application programmatically what cipher(s) are being used by the HttpWebRequest object, or is there a way to specify from the application which cipher to use?

Answer 1

I had a similar issue a few months ago and I remember reading somewhere that the negotiation of the cipher suite is done by the OS (Schannel in the case of Windows), I couldn't find a way to control this from within the .NET framework.

The following articles were helpful to me in order to better understand the .NET framework behavior around this (which is different between versions).

Transport Layer Security (TLS) best practices with the .NET Framework

SCH_USE_STRONG_CRYPTO flag (which was relevant in my case)

Transport Layer Security (TLS) registry settings (This one is relevant on the Windows side to configure the available cipher suites)

EDIT:

This is the article (by Troy Starr [MSFT]) that helped me to understand my problem: https://community.qualys.com/thread/16917-net-framework#comment-35829