ansaurus

Question

How to specify a cipher for an SSL connection in .NET?

Answer 1

A:

Unfortunately don't know if it's possible with .NET at all, but as you are mentioning mentalis lib, I thought that maybe you would be interested to check SSLBlackbox, which lets you specify ciphers easily, via a property.

Eugene Mayevski 'EldoS Corp 2010-05-29 07:00:08

I've look into SSLBlackbox API for .NET though it looks terrible. They don't even employ Enums so it looks like a straight port from the C++ which doesn't behave like a .NET library. Thanks for the suggestion, although still not sure if SSLBlackbox can do this or not, Couldn't find any good sample.

dr. evil 2010-06-01 06:57:30

There's no way for enum when you have 80 or so cipher suites. And there's no need for a sample too - the cipher suites are set using CipherSuites property:client.set_CipherSuites[SB_SUITE_NULL_NULL_NULL] = true; And there's free technical support available there as well.

Eugene Mayevski 'EldoS Corp 2010-06-01 08:44:59

Why you think 80 is too much to enum?

dr. evil 2010-06-01 13:13:19

It's not 80 being too much (the number is not important) but the fact that cipher suites are the constants defined in the standard. So why change them?

Eugene Mayevski 'EldoS Corp 2010-06-02 06:44:32

I'm trying to say that the library is not designed according MS Library design guidelines, hence it's using non-standard coding practices for a .NET library. Normal .NET libraries uses enums when applies and this is a perfect example to use it hence based on the code sample SSLBlackbox seems like direct port from C++ and doesn't follow any of those best practices. Enum was just an example.

dr. evil 2010-06-02 12:34:05

Frankly speaking, I don't see your point. Do you need the code to work correctly or to look fine? I.e. would you like the developers to spend time on security and overall quality or on bells and whistles?

Eugene Mayevski 'EldoS Corp 2010-06-02 15:21:08

Eugene obviously I want to be job done, that's my priority. But I would prefer a library which is written in a way that me and my team used to employ over a library which is not. Sorry that I didn't know you are related with the suggested library that's why my first comment was so blunt.

dr. evil 2010-06-04 18:12:53

In fact, I must thank you for the sincere comments which are really valuable. SecureBlackbox is a cross-platform library and this let us give users consistent experience as they move from Windows to other platforms. Using different coding approaches for each platform would make developers spend time on coding of fancy attributes such as mentioned enums or .NET-style events instead of focusing on features or samples or on providing support to users (our customers get support directly from developers which make it fast and efficient).

Eugene Mayevski 'EldoS Corp 2010-06-05 05:10:02

Answer 2

A:

Based on the documentation, you can set the ciphers when using SChannel via the palgSupportedAlgs, dwMinimumCipherStrength, and dwMaximumCipherStrength parameters of the SCHANNEL_CRED struct.

In order to enable the NULL encryption algorithm, you should set dwMinimumCipherStrength to -1.

CAVEAT: This is based on the documentation only. I am not a .NET developer, but I have been looking for an answer to the question because I support a service that has .NET clients.

Matthieu 2010-06-01 19:20:53

Any idea how use SCHANNEL in .NET or any .NET wrapper for it?

dr. evil 2010-06-01 20:09:30

For .NET 3.5, I do not. .NET 4 introduced an EncryptionPolicy enum that allows you to configure HttpWebRequest to allow or require the use of NULL ciphers for HTTPS connections. I sent that info to my .NET client, and he has confirmed that it works. If that is useful to you, I can write up how to use it.

Matthieu 2010-06-03 18:45:10

That sounds interesting would you care to point to me an article or throw me a code snippet?

dr. evil 2010-06-04 18:13:20

Answer 3

A:

In .NET, you can use the SSLStream class. in .NET 4.0, as Matthieu says above, it allows you to specify the ciphers.

feroze 2010-06-05 02:28:58

Answer 4

+2 A:

(My previous answer was ill-informed, I did not notice at first that the property I was referring to was read-only.)

In .NET 4, the System.Net.Security.SslStream class supports a new constructor, allowing you to provide an EncryptionPolicy value, which could be NoEncryption. This allows no encryption and request that a NULL cipher be used if the other endpoint can handle a NULL cipher.

Unfortunately this did not exist even in 3.5.

Not really part of the question, but I assume (and this is really for future readers) that you are of course aware of the relevant risks, of using SSL with a NULL cipher? And, the benefits you miss out on?

AviD 2010-06-06 21:23:39

ansaurus

tags:

views:

answers:

How to specify a cipher for an SSL connection in .NET?

related questions