none
How to enable HashAlgorithmType.Sha256 in SslStream class RRS feed

  • Question

  • Hi all,

    First posted here

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/db53dabf-5a92-46a8-a9c6-a23f95df81df/how-to-enable-hashalgorithmtypesha256-in-sslstream-class?forum=winserversecurity#db53dabf-5a92-46a8-a9c6-a23f95df81df

    We have a C# project which is based on the .Net framework 4.6.1. And we use certificate to create SSL socket for the systems to communicate. Now it is reported that when other system tries to connect to our system, the SHA256 is not supported in our system.

    And here is our code

    this._sslstream = new SslStream(client.GetStream(), false);
    
                try
                {
                    this._sslstream.AuthenticateAsServer(serverCertificate,
                       false, SslProtocols.Default, false);
                    succ = true;
                }

    Then when I look into the SslStream class, and find that the HashAlgorithm property have the following enum (The System.dll our project referenced is 4.0.0.0)

        //
        // Summary:
        //     Specifies the algorithm used for generating message authentication codes (MACs).
        public enum HashAlgorithmType
        {
            //
            // Summary:
            //     No hashing algorithm is used.
            None = 0,
            //
            // Summary:
            //     The Message Digest 5 (MD5) hashing algorithm.
            Md5 = 32771,
            //
            // Summary:
            //     The Secure Hashing Algorithm (SHA1).
            Sha1 = 32772
        }

    When I searched the web, it is found in this article, there are SHA256 option.

    https://msdn.microsoft.com/en-us/library/system.security.authentication.hashalgorithmtype(v=vs.110).aspx

    So my question is, how can I enable SHA256 in our SslStream?

    Tuesday, March 20, 2018 7:18 AM

All replies

  • Hello Guohao,

    How did you generate X.509 certificates? Although SHA256 is a kind of hash algorithm, the X.509 certificates only support md5 (the default) or sha1 if you are using makecert tool.

    Refer link. Certificate Creation Tool (Makecert.exe)

    Best regards,

    Neil Hu


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, March 21, 2018 8:22 AM
    Moderator
  • Hi Neil, 

    Thanks for the reply, the link you provided is based on .Net 2.0, and here is the .net 4.0 version, which supports sha256.

    https://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.100).aspx

    By the way, we can got the certificate from the 3rd party, and with SHA256. So we don't have to care about the certificate, but rather the API.

    Friday, March 23, 2018 2:13 AM
  • Can anyone help to post this issue to Microsoft internal discussion group? Because this issue really matters to our product security.
    Tuesday, March 27, 2018 9:07 AM
  • Hello Guohao,

    I'm sorry that I'm not a experience people with certificate, and according to my search I think the issue is more related to operate system. Try to take a look at the below link.

    You cannot run an application that is signed with a SHA-256 certificate on a computer that is running Windows Vista SP2 or Windows Server 2008 SP2

    quote>>this issue occurs because the buffer that is provided by the GetCertHash() function is not big enough to store a hash value that is 256-bits (32-bytes) or larger.

    Although the circumstance isn't the same as yours fully, it occurs when OS hands SHA-256 hash algorithm. you could try it.

    Hope the above would be helpful.

    Best Regards,

    Neil Hu


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, March 28, 2018 8:51 AM
    Moderator
  • Thanks Neil for the reply.

    Our product runs on Windows 10 Enterprise, and .Net framework 4.6. So I believe the system and framework "SHOULD BE" able to support the SHA-256 certificate when create SslStream object.

    The question is how to do it in C# code?

    Thursday, March 29, 2018 7:46 AM
  • Hello Guohao,

    Did you try to define a custom validation method with certificate? Something like the below code.

       SslStream sslStream = new SslStream(
                    client.GetStream(),
                    false,
                    new RemoteCertificateValidationCallback(ValidateServerCertificate)
                    );
    
     public static bool ValidateServerCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
            {
                        //do some stuff of validate there
                            return true;
            }

    The code come from MSDN document.

    https://msdn.microsoft.com/en-us/library/system.net.security.sslstream(v=vs.110).aspx

    Best Regards,

    Neil Hu


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, March 29, 2018 8:10 AM
    Moderator