ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 and Cipher Suite (C#) RRS feed

  • Question

  • Hello,

    I should to connect a Server per HttpWebRequest with one of TLS Cipher Suites (possible ECDHE-RSA-AES256-GCM-SHA384)

    If I use under Windows Server 2016 Standard with MS Framework 4.6.1 following command (C#):

    ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3; 

    is one of Cipher Suites already included?

    If no, what should I do? How can I expand the code below to achive this goal?


         private static String sendRequest(Uri url, NameValueCollection nvc)
                CookieContainer cookieJar = new CookieContainer();
                ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
                ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls
                       | SecurityProtocolType.Tls11
                       | SecurityProtocolType.Tls12
                       | SecurityProtocolType.Ssl3;
                ServicePointManager.Expect100Continue = true;
                HttpWebRequest HttpWReq = (HttpWebRequest)WebRequest.Create(url.ToString());
                ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
                HttpWReq.ProtocolVersion = HttpVersion.Version10;
                HttpWReq.Timeout = Timeout.Infinite;
                HttpWReq.ReadWriteTimeout = Timeout.Infinite;
                HttpWReq.CookieContainer = cookieJar;
                HttpWReq.Method = "POST";
                HttpWReq.Accept = "*/*";
                // req3.Headers.Add("Pragma", "no-cache");
                // req3.Headers.Add("Accept-Language", "en-gb");
                HttpWReq.AllowAutoRedirect = true;
                HttpWReq.KeepAlive = true;
                HttpWReq.UserAgent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)";
                HttpWReq.ContentType = "application/x-www-form-urlencoded";
                HttpWReq.ProtocolVersion = HttpVersion.Version10;
                var sbPostData = new StringBuilder();
                sbPostData = CreateParameterString(nvc);
                var parameterString = (System.Text.Encoding.GetEncoding(iWinCodePage)).GetBytes(sbPostData.ToString());
                if (sbPostData.ToString().Length > 0)
                    HttpWReq.ContentLength = sbPostData.ToString().Length;
                String responseString = "";
                if (sbPostData.ToString().Length > 0)
                    Stream requestStream = HttpWReq.GetRequestStream();
                    requestStream.Write(parameterString, 0, parameterString.Length);
                HttpWebResponse HttpWResp = (HttpWebResponse)HttpWReq.GetResponse();
                StringBuilder response = new StringBuilder();
                using (StreamReader sr = new StreamReader(HttpWResp.GetResponseStream(), System.Text.Encoding.GetEncoding(iWinCodePage), true)) 
    				response = sr.ReadToEnd();
                responseString = response.ToString();
                return responseString;

    Wednesday, March 20, 2019 4:37 PM

All replies

  • Just install Fiddler on the client machine to check.

    Check the "Tunnel to" request (do not enable SSL decryption because Fiddler may renegotiate a different cipher when doing so). On upper part of right panel, "Inspectors" tab page, "Raw" view, see if the Cipher you want to use is included (Mine shown that cipher as [C028]).

    Then to the lower part of right panel, still the "Raw" view, see if the cipher you want is picked up.

    In my case, the MSDN site choose returns:

    Version: 3.3 (TLS/1.2)
    SessionID: 86 02 C9 D4 6F B1 D0 84 A2 86 DD 69 95 15 1E 30 80 ED 78 D4 6C C4 AF EC 9A 2C 19 97 A3 A5 2C 68
    Random:  28 7E D5 64 2D 1B F4 CB 56 DF F5 1B AD F3 2B 15 61 04 10 76 95 77 1B 3D F9 25 7C 0D B7 06 EA BB
    Cipher:  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 [0xC028]
    CompressionSuite: NO_COMPRESSION [0x00]
      renegotiation_info 00
      server_name empty
      ec_point_formats uncompressed [0x0], ansiX962_compressed_prime [0x1], ansiX962_compressed_char2  [0x2]
      status_request (OCSP-stapling) empty

    P.S.: Some people have added the code for changing cipher list provided for .NET Core, hopefully they'll make it to the next release. (The check-in occurs just 2 weeks ago, and there are some fails in automatic merge of code)

    Thursday, March 21, 2019 2:17 AM
  • thanks for Your reply

    I've installed IISCrypto

    it show me complet Cipher Suite List on the machine

    Thursday, March 21, 2019 4:41 PM
  • It's on both side: The web browser sends the list of cipher supported to the web server, then web server compares the list with the list supported by the server, and selected the most secure cipher supported on both side it thinks.

    If your software contract have requirement to use specific cipher, the most safe way is to disable all other cipher choice because in theory the web server may choose to use a better cipher and that can violate your contract. And the web server may choose a less secure cipher if your choice doesn't exist on the list offered by web browser.

    Friday, March 22, 2019 1:26 AM