locked
Windows Store app - SSL Handshake on Stream socket

    Question

  • Is SSL handshake handled internally by StreamSocket class on Windows.Networking.Sockets when using SocketProtectionlevel.ssl on ConnectAsync method??
    Thursday, March 20, 2014 9:30 AM

Answers

  • Yes.  When you do the ConnectAync(), it will do both the regular TCP handshake and will do the SSL connection. The end result is a socket where you just read and write bytes, but they get transformed into proper SSL for you.

    BTW, the .ssl is now deprecated; if possible you should instead pick .tls12 for greater security.  Note, of course, that not all end-points support TLS 1.2, so you may need to try tls 1.2 and then fall back to a less secure protocol (possible ssl) on failure.


    Network Developer Experience Team (Microsoft)

    • Marked as answer by aasikraja Friday, March 21, 2014 5:20 AM
    Thursday, March 20, 2014 5:43 PM

All replies

  • Yes.  When you do the ConnectAync(), it will do both the regular TCP handshake and will do the SSL connection. The end result is a socket where you just read and write bytes, but they get transformed into proper SSL for you.

    BTW, the .ssl is now deprecated; if possible you should instead pick .tls12 for greater security.  Note, of course, that not all end-points support TLS 1.2, so you may need to try tls 1.2 and then fall back to a less secure protocol (possible ssl) on failure.


    Network Developer Experience Team (Microsoft)

    • Marked as answer by aasikraja Friday, March 21, 2014 5:20 AM
    Thursday, March 20, 2014 5:43 PM
  • Yes they are also saying that .ssl is now insecure since RC4 and other weak ciphers are allowed. I'll read about .tls12 on Streamsocket Socket Protection level and try that.
    Thank you.

    • Edited by aasikraja Friday, March 21, 2014 5:24 AM
    Friday, March 21, 2014 5:20 AM
  • To be fully clear: only protocols and ciphers that are mutually acceptable to both the client and server will ever be negotiated, regardless of the socket settings.  This means that however you connect, it's considered "OK security" to the system admin.

    I'm not a security person, but just reading about RC4 on the regular technical web sites shows that lots of people have been creating attacks on RC4, and that it's only a matter of time before it's broken. 

    Switching now to the newer protocols and ciphers makes sense; better to do it now when it's not an emergency than to wait until your customers are being actively stolen from.


    Network Developer Experience Team (Microsoft)

    Friday, March 21, 2014 8:01 PM