HttpWebRequest with AES 256 support RRS feed

  • Question

  • We have a .net win forms application and downloading configuration files from server. 

    We have a requirement to support only TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suite.

    Our application is using default encryption algorithms available in client PC to initiate connection with server.

    Can i restrict our client component to support only TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suite, So that if TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suite is not supported by client then it should fail to connect.

    Application framework : .net 3.5

    Windows Versions to support : Windows 7/8/10

    Code Block

                        HttpWebRequest request = (HttpWebRequest)WebRequest.Create(_configFileUri);
                        request.Credentials = CredentialCache.DefaultCredentials;
                        request.UserAgent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705;)";
                        HttpWebResponse response = (HttpWebResponse)request.GetResponse();
                        Stream receiveStream = response.GetResponseStream();
                        StreamReader readStream = new StreamReader(receiveStream, Encoding.UTF8);
                        using (StreamWriter sw = new StreamWriter(fileName, false, Encoding.UTF8))
    Client and Server Cipher Suites :

    Client PCAPServer PCAP

    • Edited by Subbu J9 Friday, November 18, 2016 5:20 AM
    Friday, November 18, 2016 4:31 AM

All replies

  • Just disable/remove the unwanted ciphers for "server" as instructed by KB article here. The bottom of the article contains information for later Windows systems.
    • Proposed as answer by Kristin Xie Monday, November 21, 2016 7:49 AM
    Friday, November 18, 2016 6:26 AM
  • Hi Subbu,

    I agree with cheong00. Have you tried it? Do you have any updates until now? If yes, please post here. It also helpful for someone others who have the same issues.

    Best regards,


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact

    Monday, November 21, 2016 8:00 AM
  • Hi Cheong00,

    Is it possible to handle through programming? Is there any API to handle?

    I want to block the request on client side if TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suite is not available.



    Monday, November 21, 2016 8:59 AM
  • I think there's no way to control it purely within the .NET framework.

    You may use System.Net.Sockets.Socket with P/Invoke to allow you specify ciphers on AcceptSecurityContext() API. An example in C++ on how to use it is here.

    Unfortunately I'm quite busy these few days so either you try to convert the code yourself, other helpers help to convert it, or you'll have to wait until Saturday/Sunday and I'll try to do it.

    EDIT: Originally I think System.Net.Security.SslStream is not suitable because at most it allows you to specify SSL protocol version (like TLS1, TLS1.1 or TLS1.2) and all other properties are "get only". However since it have InnerStream exposed, it could be worthwhile to check it we can somehow intercept it. (Not done that before so not sure)
    Tuesday, November 22, 2016 1:34 AM
  • While seeking for hints on how to do it, I come across this project called AaltoTLS that will do what you need.

    The way to use it is in here. The ALG_ID to be passed in CipherSuiteIDs.Add() for TLS_RSA_WITH_AES_256_CBC_SHA256 is 0x3d.

    Try it and see if it works for you.

    Sunday, November 27, 2016 7:52 AM