none
(m)TLS Support in WinRT

    Question

  • I'm investigating if it's possible, using the Windows Runtime, to establish an mTLS connection. I've discovered the StreamSocket, WebStreamSocket classes, as well as and DataProtection APIs, and see references to creating an SSL connection that uses TLS, but there doesn't appear to be any way to specify a cipher.

    Can anyone point me down APIs which would allow me to establish a more robust TLS connection (my end goal is mTLS so I'd take tips on that as well).

    Thanks!

    -Andre

    Wednesday, October 12, 2011 4:53 PM

All replies

  • Hi - I looked through our references and could not find any way to explicitly set the cypher.  However, Windows has long used registry settings and Group Policy to control which cyphersuites are available for negotiation between client and server.  Please see these links:

    http://technet.microsoft.com/en-us/library/cc766285(WS.10).aspx

    http://technet.microsoft.com/en-us/library/cc776467(WS.10).aspx

    This looks like it might be what you are looking for:

    Group Policy Setting Description

    Security options:

    System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing

    Changes to this setting determine whether Schannel will only support the TLS protocol as a client (and as a server, if applicable) and only use:

    • Triple Data Encryption Standard (3DES) encryption algorithm for the TLS traffic encryption

    • Rivest-Shamir-Adleman (RSA) public key algorithm for the TLS key exchange and authentication

    • Secure Hash Algorithm version 1 (SHA-1) hashing algorithm for the TLS hashing

    Both the client and the server must support these algorithms and TLS to communicate using a secure channel application. For example, if you enable this policy setting, you will also need to configure Internet Explorer to use TLS (which is Off by default) to connect using Secure Hypertext Transfer Protocol (HTTPS) to a server with this setting.


    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    Thursday, October 13, 2011 6:06 PM
    Moderator
  • Matt,

    As far as I'm aware, there's no direct access to the registry or a way to modify group policy settings inside of Metro style applications. If this is true, then there truly isn't a way to specify at an application level what specific type of Cipher to use for generic sockets.

    I'm trying to port a game to being a Metro style application but it communicates to a service over a TCP with TLS as a requirement. Seems highly limiting to not be able to make a Metro port simply because I can't establish the connection using TLS/mTLS.

    If this won't be addressed, is it possible that Microsoft could open up the winsock APIs as acceptable WIN32 API calls so that I can use a library like openssl?

    -Andre

    Thursday, October 13, 2011 8:22 PM
  • I have used TLS with WinHTTP and also Windows Web Services APIs.

    Will

    http://msdn.microsoft.com/en-us/library/aa384273(VS.85).aspx   Windows HTTP Services

    and

    http://msdn.microsoft.com/en-us/library/dd430435(VS.85).aspx  Windows Web Services API

    be available for Metro C++ applications ?

    If not, will there be WinRT replacements ?

     

     

     

    Thursday, October 13, 2011 11:50 PM
  • "Windows Web Services API

    be available for Metro C++ applications ?"

     

    You can find the supported web service methods by WinRT here:

    http://msdn.microsoft.com/en-us/library/windows/apps/br205759(v=VS.85).aspx

    Thursday, October 13, 2011 11:55 PM
  • The short answer is: Metro style apps support SSL-type secure connections only as the client; the server (accept) side of an SSL connection must be, e.g., a Winsock+SCHANNEL app or a full framework .NET app.  Because the server is non-Metro, it can apply the appropriate policy.

    Note that the server will send to the client a list of acceptable ciphers; assuming that the client knows about at least one of the ciphers (and my experience is that it always does), the client will pick one of those ciphers to use.  As long as the server sends the appropriate list, the client will use an appropriate cipher.  What is generally configured is that the more secure ciphers are preferered over less secure ciphers.

    Two questions:

    1. When you say, (m)TLS, which mtls do you mean (the mutually authenticating one, or the multiplexed one)?

    2. Why do you have the cipher requirment that you do?  Will you ever be in the position where the server sends a list of acceptable ciphers, and it's wrong?  And the actually acceptable ciphers are a subset of that list?


    Network Developer Experience Team (Microsoft)
    Friday, October 14, 2011 9:44 PM
  • @MSFT:

    1] I'm curious about mTLS from the perspective of mutual authentication. (Subsistence might have a different answer.)

    2] Short answer, yes. We have scenarios where the client requires specific ciphers for security reasons.

    Monday, October 24, 2011 10:26 PM
  • Here are my answers to your questions:

    1. Mutually authenticated mTLS.

    2. Basically, the same answer as badhras. 

    We'd like to build an application such that when it's open (split screen or otherwise), it behaves as a server and advertises that someone can initiate a video chat with it. In this case, the Metro style application is the server and the connectors are clients. For a secure video session, I need to be able to say that my application uses particular ciphers.

    The problem that I'm seeing so far is that there's an assumption that all Metro style applications are client applications. I don't believe that this is true.

    Finally, one last thing (not related to the original ask) - we're also trying to authenticate certificates. There doesn't appear to be any APIs which allow us to inspect certificates and only accept certain ones, in a particular line of trust. We want to be able to say that a connection from a particular client must be certified by, say, Google or Microsoft. Having a valid certificate installed on the system isn't sufficient.

    Is Microsoft planning on adding any WinRT APIs which allow us to inspect certificates?

    Monday, October 24, 2011 10:53 PM