Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

.NET's SslStream is always negotiating to the least secure cipher I have. How can I change this?

SslStream is supposed to negotiate the cipher type, key length, hash algorithm, etc. with its peer SSL stack. When using it in my code, I find that the negotiation always defaults to RC4 & MD5. I would like to use 3DES or AES for some added security.

Looking around the web I find only a few references to this problem and no solutions; one poster is claiming this actually makes sense, since the lowest common denominator between the two stacks is secure while has the added benefit of being faster/using less CPU resources. While this may be technically correct, my particular trade-off between complexity and cost lies elsewhere (I prefer to use AES with a long key).

If anyone can help I'd appreciate it.

like image 423
Shachar Avatar asked Oct 15 '22 18:10

Shachar


2 Answers

SSLStream uses Schannel that is supplied with the operating system. The suites are listed in the default order in which they are chosen by the Microsoft Schannel Provider for :

Windows Vista:

RSA WITH AES_128 CBC SHA
RSA WITH AES_256 CBC SHA
RSA WITH RC4_128 SHA

...

Windows XP:

RSA WITH RC4 128 MD5
RSA WITH RC4 128 SHA

RSA WITH 3DES CBC SHA

....

You can also modify the list of cipher suites by configuring the SSL Cipher Suite Order group policy settings using the Group Policy Object snap-in in Microsoft Management Console (Windows Vista)

But the issue is that Windows XP doesn't include AES in the list of ciphers available for SSLStream. However, it's possible to change Registry settings in Windows XP: HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy 1 for getting 3DES cipher.

like image 109
vshkil Avatar answered Oct 19 '22 03:10

vshkil


You can select which protocols are available for selection by making some simple registry changes. We remove the ability to select RC4, for example. You only need to make the change at one end of the connection (eg server) because the client and server negotiate to find commonly supported algorithm

http://msdn.microsoft.com/en-us/library/ms925716.aspx

Best wishes James

like image 35
James Berry Avatar answered Oct 19 '22 05:10

James Berry