views:

235

answers:

4

How can I specify a cipher suite to use in an SSL Connections?

I know that Mentalis Seclib got this feature however they don't maintain the project (and there are issues in that library with x64 OSes) as they say .NET Framework 2.0 introduced those features.

However I couldn't find a way to do this in .NET Framework 3.5.

To be more specific I want to connect an HTTPS service by using NULL cipher, I would do the same thing with OpenSSL by using the following command:

openssl s_client -connect www.example.com:443 -cipher NULL 

How can I do this in .NET?

Also commercial or commercial friendly licensed library suggestions are welcome as well.

A: 

Unfortunately don't know if it's possible with .NET at all, but as you are mentioning mentalis lib, I thought that maybe you would be interested to check SSLBlackbox, which lets you specify ciphers easily, via a property.

Eugene Mayevski 'EldoS Corp
I've look into SSLBlackbox API for .NET though it looks terrible. They don't even employ Enums so it looks like a straight port from the C++ which doesn't behave like a .NET library. Thanks for the suggestion, although still not sure if SSLBlackbox can do this or not, Couldn't find any good sample.
dr. evil
There's no way for enum when you have 80 or so cipher suites. And there's no need for a sample too - the cipher suites are set using CipherSuites property:client.set_CipherSuites[SB_SUITE_NULL_NULL_NULL] = true; And there's free technical support available there as well.
Eugene Mayevski 'EldoS Corp
Why you think 80 is too much to enum?
dr. evil
It's not 80 being too much (the number is not important) but the fact that cipher suites are the constants defined in the standard. So why change them?
Eugene Mayevski 'EldoS Corp
I'm trying to say that the library is not designed according MS Library design guidelines, hence it's using non-standard coding practices for a .NET library. Normal .NET libraries uses enums when applies and this is a perfect example to use it hence based on the code sample SSLBlackbox seems like direct port from C++ and doesn't follow any of those best practices. Enum was just an example.
dr. evil
Frankly speaking, I don't see your point. Do you need the code to work correctly or to look fine? I.e. would you like the developers to spend time on security and overall quality or on bells and whistles?
Eugene Mayevski 'EldoS Corp
Eugene obviously I want to be job done, that's my priority. But I would prefer a library which is written in a way that me and my team used to employ over a library which is not. Sorry that I didn't know you are related with the suggested library that's why my first comment was so blunt.
dr. evil
In fact, I must thank you for the sincere comments which are really valuable. SecureBlackbox is a cross-platform library and this let us give users consistent experience as they move from Windows to other platforms. Using different coding approaches for each platform would make developers spend time on coding of fancy attributes such as mentioned enums or .NET-style events instead of focusing on features or samples or on providing support to users (our customers get support directly from developers which make it fast and efficient).
Eugene Mayevski 'EldoS Corp
A: 

Based on the documentation, you can set the ciphers when using SChannel via the palgSupportedAlgs, dwMinimumCipherStrength, and dwMaximumCipherStrength parameters of the SCHANNEL_CRED struct.

In order to enable the NULL encryption algorithm, you should set dwMinimumCipherStrength to -1.

CAVEAT: This is based on the documentation only. I am not a .NET developer, but I have been looking for an answer to the question because I support a service that has .NET clients.

Matthieu
Any idea how use SCHANNEL in .NET or any .NET wrapper for it?
dr. evil
For .NET 3.5, I do not. .NET 4 introduced an EncryptionPolicy enum that allows you to configure HttpWebRequest to allow or require the use of NULL ciphers for HTTPS connections. I sent that info to my .NET client, and he has confirmed that it works. If that is useful to you, I can write up how to use it.
Matthieu
That sounds interesting would you care to point to me an article or throw me a code snippet?
dr. evil
A: 

In .NET, you can use the SSLStream class. in .NET 4.0, as Matthieu says above, it allows you to specify the ciphers.

feroze
+2  A: 

(My previous answer was ill-informed, I did not notice at first that the property I was referring to was read-only.)

In .NET 4, the System.Net.Security.SslStream class supports a new constructor, allowing you to provide an EncryptionPolicy value, which could be NoEncryption. This allows no encryption and request that a NULL cipher be used if the other endpoint can handle a NULL cipher.

Unfortunately this did not exist even in 3.5.


Not really part of the question, but I assume (and this is really for future readers) that you are of course aware of the relevant risks, of using SSL with a NULL cipher? And, the benefits you miss out on?

AviD