locked
Undefined value returned for System.DirectoryServices.Protocols.SecurityProtocol enum RRS feed

  • Question

  • Hello,

    I'm performing LDAP queries using the System.DirectoryServices.Protocols namespace.

    As part of the query I want to log the SSL information.

    After Binding the connection, I use the LdapConnection class to give me the value in the following property:

    ldapConnection.SessionOptions.SslInformation.Protocol

    According to the documentation, the value returned should be a value from this enum: 

    System.DirectoryServices.Protocol.SecurityProtocol (link)

    However, I get back: '2048':

    

    I understand it shows like this as it's not defined in the enum... what does this value denote?

    Tuesday, July 18, 2017 1:42 PM

Answers

  • # define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS              0x00000800U

    This seems to be the most relevant value in the header files. However it seems to be "option" for connecting SSL instead of the version itself.

    (old question I know, but just in case someone is having the same issue... as I did) 

    The accepted answer is incorrect.
    The SecurityProtocol enumeration is (still) missing entries for TLS1.1 and TLS1.2 in .NET (ATTOW core 3.1 and full 4.8);
    Refering to https://docs.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-secpkgcontext_connectioninfo : 

    public enum SecurityProtocol {
        //...
        /// <summary>Transport Layer Security 1.1 server-side.</summary>
        Tls1_1_Server = 0x100,
        /// <summary>Transport Layer Security 1.1 client-side.</summary>
        Tls1_1_Client = 0x200,
        /// <summary>Transport Layer Security 1.2 client-side.</summary>
        Tls1_2_Server = 0x400,
        /// <summary>Transport Layer Security 1.2 server-side.</summary>
        Tls1_2_Client = 0x800,
    }


    Don't panic

    • Marked as answer by cheong00Editor Thursday, November 21, 2019 1:48 AM
    Wednesday, November 20, 2019 11:00 AM

All replies

  • From OpenSSL header line 308-315:

    /*
    * Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added in
    * OpenSSL 0.9.6d.  Usually (depending on the application protocol) the
    * workaround is not needed.  Unfortunately some broken SSL/TLS
    * implementations cannot handle it at all, which is why we include it in
    * SSL_OP_ALL. Added in 0.9.6e
    */
    # define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS              0x00000800U

    This seems to be the most relevant value in the header files. However it seems to be "option" for connecting SSL instead of the version itself.

    If the server provide this value to you during protocol negotiation, since all bits for SSL_OP_NO_TLSvx (as for don't connect with protocol version x) are not present, possibly mean the any protocol level the server side preferred.

    • Edited by cheong00Editor Wednesday, July 19, 2017 6:46 AM
    • Marked as answer by adurrans Monday, July 24, 2017 11:24 AM
    • Unmarked as answer by cheong00Editor Thursday, November 21, 2019 1:48 AM
    Wednesday, July 19, 2017 6:17 AM
    Answerer
  • # define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS              0x00000800U

    This seems to be the most relevant value in the header files. However it seems to be "option" for connecting SSL instead of the version itself.

    (old question I know, but just in case someone is having the same issue... as I did) 

    The accepted answer is incorrect.
    The SecurityProtocol enumeration is (still) missing entries for TLS1.1 and TLS1.2 in .NET (ATTOW core 3.1 and full 4.8);
    Refering to https://docs.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-secpkgcontext_connectioninfo : 

    public enum SecurityProtocol {
        //...
        /// <summary>Transport Layer Security 1.1 server-side.</summary>
        Tls1_1_Server = 0x100,
        /// <summary>Transport Layer Security 1.1 client-side.</summary>
        Tls1_1_Client = 0x200,
        /// <summary>Transport Layer Security 1.2 client-side.</summary>
        Tls1_2_Server = 0x400,
        /// <summary>Transport Layer Security 1.2 server-side.</summary>
        Tls1_2_Client = 0x800,
    }


    Don't panic

    • Marked as answer by cheong00Editor Thursday, November 21, 2019 1:48 AM
    Wednesday, November 20, 2019 11:00 AM
  • Good. Information provided is verified correct.
    Thursday, November 21, 2019 1:48 AM
    Answerer