none
WSMAN CredSSP TLS 1.2 support and cipher suites RRS feed

  • Question

  • Hi all,

    The protocol document [MS-CSSP] explains the first base64 encoded token send in the authenticate from the client to the server is a TLS Client Hello. The response is a ServerHello.
    The diagram in section 4 'Protocol Examples' of the document indicates the ServerHello has a cipher suite of TLS_RSA_WITH_RC_128_SHA. The TLS version and cipher suites are not mentioned anywhere else in the document.

    So lets take a look a network packet capture of a CredSSP authentication between a winrm.exe client and a Windows 2008 R2 server. I have base64 decoded the contents of the CredSSP Authorization headers,

    The ClientHello bytes (without the extensions) send by my client are:

    16 03 01 00 6B 01 00 00  67 03 01 54 DB 64 77 22 
    A2 1C A3 23 93 61 3B 00  1B DE 1C 6D 42 34 94 8D 
    1D 44 2C 64 8B 42 AC 41  B4 E2 DE 00 00 14 00 2F 
    00 35 00 0A C0 13 C0 14  C0 09 C0 0A 00 32 00 38 
    00 13 01 00 00 2A FF 01  00 01 00 00 00 00 11 00 
    0F 00 00 0C

    Decoding this we can see that this is TLS 1.0 {03, 01}, taking a look at the ciphers we have:
    TLS_RSA_WITH_AES_128_CBC_SHA 0x00 0x2F
    TLS_RSA_WITH_AES_256_CBC_SHA 0x00 0x35
    TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x00,0x0A
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC0,0x13
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC0,0x14
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC0,0x09
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC0,0x0A
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0x00,0x32
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x00,0x38
    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 0x00,0x13

    Now lets look at the ServerHello (without the extensions)

    16 03 01 02 3C 02 00 00  4D 03 01 54 DB 64 78 73 
    92 C6 86 A3 F8 FF 3D D4  36 77 C0 FC 80 61 3F 4D 
    8C BC 60 CD BC 4D B1 1C  4A CF 0A 20 DA 14 00 00 
    38 11 DB C9 1C D0 8C 76  E7 A0 B9 F7 A5 D4 94 DF 
    8B 83 38 B3 FF EB AA 65  EB 23 03 0A 00 2F 00 00 
    05 FF 01 00 01 00 0B 00  01 E3 00 01 E0 00 01 DD 
    30 82 01 D9 30 82 01 42  A0 03 02 01 02 02 10 44 
    56 23 69 44 ED 93 85 43  DF B8 DF E3 75 DC A7 30 
    0D 06 09 2A 86 48 86 F7  0D 01 01 05 05 00 30 2B 
    31 29 30 27 06 03 55 04  03 13 20 

    The server responds with TLS 1.0 and selected cipher (0x00 0x2F)
    TLS_RSA_WITH_AES_128_CBC_SHA

    Based on this I created a WSMan CredSSP client using Python and OpenSSL and configured it to use TLS 1.2. I found the Windows server always responded with TLS 1.0. So, I configured my OpenSSL client for TLS 1.0 and set the cipherlist to AES128-SHA (like winrs.exe). The CredSSP TLS handshake completes, but the first ASN.1 encoded TSRequest token (containing an NTLM negotiate token) is rejected. However, if my openssl cipherlist is set to RC4, the TSRequest token is accepted and authentication is successful.

    This raises several questions:
    1. Despite sending a TLS 1.2 ClientHello the WSMan CredSSP Server always responded with TLS 1.0 ServerHello. A number of security experts consider this version effectivly broken. Does CredSSP support TLS 1.2?

    2. I can authenticate with CredSSP using openssl 'RC4' cipher suites - but not with AES128-SHA suites. Are suites besides RC4 supported (winrs.exe appears to use AES).

    Thanks

    Ian


    • Edited by Ian.Clegg Wednesday, February 11, 2015 4:27 PM
    Wednesday, February 11, 2015 4:25 PM

All replies

  • Hi Ian,

    Thank you for your question. A member of the Protocol Documentation support team will respond to you soon.

    Regards,
    Vilmos Foltenyi - MSFT

    Wednesday, February 11, 2015 6:20 PM
  • Forum Update:

    I can now answer my 2nd question. The reason CredSSP is rejecting my TSRequest token when using AES128-SHA is because this ciphersuite is using CBC.
    Some years ago OpenSSL added empty fragments to SSLv3 and TLS 1.0 packets to address a potential security vulnerability. These empty fragments are not compatible with Microsofts SChannel implementation so Windows is unable to decrypt the data. OpenSSL added a compatibility flag SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS (0x00000800L) that must be set in the openssl client's context options to address this issue with Microsofts implementation. Once I set this option my python openssl client successfully authenticated with a Windows 2012 R2 server using ECDHE-RSA-AES256-SHA - much better.

    Question 1 is still unanswered. Is TLS 1.2 with CredSSP supported?
    • Edited by Ian.Clegg Thursday, February 12, 2015 12:06 AM
    Thursday, February 12, 2015 12:04 AM
  • Hello Ian,
    I will be working with you on this issue. I am currently researching the problem and will provide you with an update soon. Thank you for your patience.

    Regards,
    Sreekanth Nadendla
    Microsoft Windows Open Specifications

    Thursday, February 12, 2015 8:02 PM
    Moderator
  • Hello Ian,
    CredSSP merely calls the system TLS implementation and it would be agnostic to it's version. In other words it should work with TLS 1.2. However windows 2008 R2 server didn't support TLS 1.2 by default. Would you be able to try with a Windows 2012 R2 for testing purpose ?

    Regards,
    Sreekanth Nadendla
    Microsoft Windows Open Specifications
    Thursday, February 19, 2015 6:01 PM
    Moderator
  • Hello Ian,
    Please post if you have any followup questions.

    Regards,
    Sreekanth Nadendla
    Microsoft Windows Open Specifications

    Tuesday, February 24, 2015 4:01 PM
    Moderator