How to use AES 256 cipher with HttpWebRequest

Question

My .net 2.0 application uses AES 128 cipher instead of 256 for POST request to the https site, which cause the latter fail. How to use AES 256 cipher for HttpWebRequest?

Answer 1

HttpWebRequest takes care of SSL/TLS negotiation if you access a secure url (https). The cipher suite negotiated for the session depends on the capability of both client and server. In simple words, it happens in below steps:

• Client connects to server.
• Client says hello and along with it gives its capability in set of cryptographic algorithms (e.g. [RSA+AES128+SHA1], [RSA+AES256+SHA1], ...)
• Server picks the strongest "algorithm suite" it supports and notifies the client that we will use this suite for current session.

So to answer your question, you need to make sure that both your client and server has AES256 capability.

Client Side

Since you are using HttpWebRequest which internally uses Windows APIs, you are on the mercy of Windows APIs. As far as I know, Windows XP and Windows Server 2003 don't support new things like TLS 1.0, TLS 1.2, AES 256, SHA 256, ECC etc. For that, your client must be running on Windows Vista, Windows 7 or Windows 2008.

Server Side

Since there is no indication of server in use, I cannot comment anything on it. If it is IIS, above text still applies. Though you will need to enable certain bits in IIS. See this excellent article for help.

Tip

Use a network monitor to see what is happening behind the scenes. You can use Wireshark or Microsoft Network Monitor for this.