none
SslStream.KeyExchangeAlgorithm 44550 RRS feed

  • Question

  • SslStream.KeyExchangeAlgorithm is returning value 44550, instead of one of the defined ExchangeAlgorithmType enumeration values.  I noticed that the KeyExchangeStrength is 256, which would be a reasonable strength for an EllipticCurveDiffieHellman exchange, and I noticed that ExchangeAlgorithmType doesn't contain any value related to ECDH.  So I am guessing that 44550 corresponds to ECDH, but it really, really, needs to be defined in the ExchangeAlgorithmType enumeration.  This makes even less sense, because my server has an RSA 3072 key.  So the negotiated algorithm should be RSA, 3072.

    Microsoft?  Help please!  Bad Microsoft.  Bad.

    For reference:

    ExchangeAlgorithmType
            None = 0,                   0
    DiffieHellman = 0xAA02,     43522
    RsaKeyX = 0xA400,           41984
    RsaSign = 0x2400            9216

            ??? = 0xAE06                44550
    Friday, April 18, 2014 10:10 PM

Answers

  • I have been working with MS support on this issue, and they have confirmed, that there is a new type. I don't know what they're going to call it exactly, but it is ECDH Ephemeral, and it should be expected that the key strength will be 256 or 384, which would correspond to RSA 3072 and larger. The ECDH key exchange is much faster and smaller than the equivalent strength RSA key exchange.  Comparable cryptographic strengths are:  RSA 3072 ~ ECDH 256 ~ AES 128

    For now, the value 44550 is equivalent to ECDH_Ephem, or whatever they're going to call it.  I wish the documentation and .NET / Visual Studio had been updated to include this info before it was released into the wild.

    Tuesday, April 22, 2014 8:20 PM

All replies

  • Hello Edward Harvey Concept Blossom,

    Could you please share some code with us as how the SslStream.KeyExchangeAlgorithm is returned? As far as I know, the KeyExchangeAlgorithm is an enum type which only contains four values just as what you have described.

    Thanks&Reagrds.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, April 21, 2014 6:55 AM
    Moderator
  • Here is some example code that lets you observe the bug.

    Launch the server in your debugger, and then launch the client.  The problem has been observed on Win 8.1 Pro, Win Server 2012 R2.  It has NOT been observed on Win7.  No other platforms have been tested, because having it on Win 8.1 and 2012R2 was sufficient to declare, this needs to be submitted to MS support.

    The problem was first observed on Friday 4/18/2014

    https://dl.dropboxusercontent.com/u/543241/SslStreamBug.zip


    Monday, April 21, 2014 3:31 PM
  • Hello,

    Thanks for sharing it with us. I downloaded it and made a test with it, I got the result RSA and 3072 successfully, since I do not have the Server2012R2, so I used the WIN8.1 and VS 2013 from .NET 2.0 to .NET 4.5.1. I thihk it may be an system issue rather than .NET issue.

    For this, you can psot it to:

    http://answers.microsoft.com/en-us

    >> No other platforms have been tested, because having it on Win 8.1 and 2012R2 was sufficient to declare, this needs to be submitted to MS support.

    There is a specific site for collecting feedback:

    https://connect.microsoft.com/VisualStudio

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.



    Tuesday, April 22, 2014 3:36 AM
    Moderator
  • Maybe your microsoft updates are not fully updated?

    This problem was observed on two separate Win 8.1 Pro systems, and a Win 2012 R2 system which was freshly installed and fully updated on Friday specifically to test this.  Now that I think of it, we only ran the server component on the 2012R2 server, and ran the client on Win8.1Pro.

    I'll go dig some more...  Including running the server and client both on the 2012R2 server and some other stuff.

    Tuesday, April 22, 2014 12:14 PM
  • Ok, I updated that source code slightly, to display results on console rather than requiring debugger (so I can more easily run it on different machines.)  URL hasn't changed, so the above https link is still valid; just an updated zip file sitting there now.

    When I run on 8.1Pro x86_64, I get this:

    C:\Users\eharvey\Exclude From Backups>server 443
    Server starting
              sslStream.CipherAlgorithm: Aes256
               sslStream.CipherStrength: 256
                sslStream.HashAlgorithm: Sha1
                 sslStream.HashStrength: 160
              sslStream.IsAuthenticated: True
                  sslStream.IsEncrypted: True
                     sslStream.IsSigned: True
         sslStream.KeyExchangeAlgorithm: 44550
          sslStream.KeyExchangeStrength: 256
                  sslStream.SslProtocol: Tls

    C:\Users\eharvey\Exclude From Backups>client localhost 443
              sslStream.CipherAlgorithm: Aes256
               sslStream.CipherStrength: 256
                sslStream.HashAlgorithm: Sha1
                 sslStream.HashStrength: 160
              sslStream.IsAuthenticated: True
                  sslStream.IsEncrypted: True
                     sslStream.IsSigned: True
         sslStream.KeyExchangeAlgorithm: 44550
          sslStream.KeyExchangeStrength: 256
     sslStream.RemoteCertificate.Issuer: CN=unconfigured
    sslStream.RemoteCertificate.Subject: CN=unconfigured
                  sslStream.SslProtocol: Tls

    And when I run on server 2012R2, I get:

    (port 443 is already used on server, so I picked 10000 instead, just because it worked.)

    C:\Users\Administrator\Desktop>server 10000
    Server starting
              sslStream.CipherAlgorithm: Aes256
               sslStream.CipherStrength: 256
                sslStream.HashAlgorithm: Sha1
                 sslStream.HashStrength: 160
              sslStream.IsAuthenticated: True
                  sslStream.IsEncrypted: True
                     sslStream.IsSigned: True
         sslStream.KeyExchangeAlgorithm: 44550
          sslStream.KeyExchangeStrength: 256
                  sslStream.SslProtocol: Tls

    C:\Users\Administrator\Desktop>client localhost 10000
              sslStream.CipherAlgorithm: Aes256
               sslStream.CipherStrength: 256
                sslStream.HashAlgorithm: Sha1
                 sslStream.HashStrength: 160
              sslStream.IsAuthenticated: True
                  sslStream.IsEncrypted: True
                     sslStream.IsSigned: True
         sslStream.KeyExchangeAlgorithm: 44550
          sslStream.KeyExchangeStrength: 256
     sslStream.RemoteCertificate.Issuer: CN=unconfigured
    sslStream.RemoteCertificate.Subject: CN=unconfigured
                  sslStream.SslProtocol: Tls
    Tuesday, April 22, 2014 1:04 PM
  • When I run on Win 7 Ultimate x86_64, I get:

    C:\Users\eharvey>Server.exe 443
    Server starting
              sslStream.CipherAlgorithm: Aes128
               sslStream.CipherStrength: 128
                sslStream.HashAlgorithm: Sha1
                 sslStream.HashStrength: 160
              sslStream.IsAuthenticated: True
                  sslStream.IsEncrypted: True
                     sslStream.IsSigned: True
         sslStream.KeyExchangeAlgorithm: RsaKeyX
          sslStream.KeyExchangeStrength: 3072
                  sslStream.SslProtocol: Tls

    C:\Users\eharvey>Client.exe localhost 443
              sslStream.CipherAlgorithm: Aes128
               sslStream.CipherStrength: 128
                sslStream.HashAlgorithm: Sha1
                 sslStream.HashStrength: 160
              sslStream.IsAuthenticated: True
                  sslStream.IsEncrypted: True
                     sslStream.IsSigned: True
         sslStream.KeyExchangeAlgorithm: RsaKeyX
          sslStream.KeyExchangeStrength: 3072
     sslStream.RemoteCertificate.Issuer: CN=unconfigured
    sslStream.RemoteCertificate.Subject: CN=unconfigured
                  sslStream.SslProtocol: Tls

    And when I run on Mac OSX, I get:

    Edwards-MacBook-Pro:trash eharvey$ mono Server.exe 10000

    Server starting

              sslStream.CipherAlgorithm: Aes256

               sslStream.CipherStrength: 256

                sslStream.HashAlgorithm: Sha1

                 sslStream.HashStrength: 160

              sslStream.IsAuthenticated: True

                  sslStream.IsEncrypted: True

                     sslStream.IsSigned: True

         sslStream.KeyExchangeAlgorithm: RsaKeyX

          sslStream.KeyExchangeStrength: 3072

                  sslStream.SslProtocol: Tls

    Edwards-MacBook-Pro:trash eharvey$ mono Client.exe localhost 10000

              sslStream.CipherAlgorithm: Aes256

               sslStream.CipherStrength: 256

                sslStream.HashAlgorithm: Sha1

                 sslStream.HashStrength: 160

              sslStream.IsAuthenticated: True

                  sslStream.IsEncrypted: True

                     sslStream.IsSigned: True

         sslStream.KeyExchangeAlgorithm: RsaKeyX

          sslStream.KeyExchangeStrength: 3072

     sslStream.RemoteCertificate.Issuer: CN=unconfigured

    sslStream.RemoteCertificate.Subject: CN=unconfigured

                  sslStream.SslProtocol: Tls


    Tuesday, April 22, 2014 1:11 PM
  • I want to repeat, that the 2012R2 server is a fresh install, followed by MS Updates, followed by VMWare Tools installation, and that's it.  It is absolutely pristine.

    The 2012R2 server installation DVD is a new release on MSDN, released Apr 2, 2014.  It is called:

    Windows Server 2012 R2 with Update (x64)  *new*

    I am extremely certain, the problem behavior is caused by a recent MS Update.  I just don't know which one.

    Tuesday, April 22, 2014 1:17 PM
  • I have been working with MS support on this issue, and they have confirmed, that there is a new type. I don't know what they're going to call it exactly, but it is ECDH Ephemeral, and it should be expected that the key strength will be 256 or 384, which would correspond to RSA 3072 and larger. The ECDH key exchange is much faster and smaller than the equivalent strength RSA key exchange.  Comparable cryptographic strengths are:  RSA 3072 ~ ECDH 256 ~ AES 128

    For now, the value 44550 is equivalent to ECDH_Ephem, or whatever they're going to call it.  I wish the documentation and .NET / Visual Studio had been updated to include this info before it was released into the wild.

    Tuesday, April 22, 2014 8:20 PM
  • Hi,

    >>  I wish the documentation and .NET / Visual Studio had been updated to include this info before it was released into the wild.

    I thihk you can post your feedback here:

    https://connect.microsoft.com/

    Anyway, it is glad to hear that you have found the reason for returning 44550.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Thursday, April 24, 2014 8:46 AM
    Moderator