Allow changing cipher suites offered in SSL/TLS handshake #19914

tewarid · 2017-01-13T11:58:02Z

Some servers require clients to use specific suite of ciphers, that is different from the one netcore offers by default.

This is the list that netcore on Windows 10 defaults to (on my PC)

Handshake Protocol: Client Hello
    Handshake Type: Client Hello (1)
    Length: 165
    Version: TLS 1.2 (0x0303)
    Random
    Session ID Length: 0
    Cipher Suites Length: 46
    Cipher Suites (23 suites)
        Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
        Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
        Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
        Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
        Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
        Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
        Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
        Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
        Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
        Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
        Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
        Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
        Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
        Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
        Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
        Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
        Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
        Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
        Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
        Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
        Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
        Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
        Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)

For comparison, here's the list netcore offers on OS X Sierra

    Cipher Suites Length: 202
    Cipher Suites (101 suites)
        Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
        Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
        Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
        Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
        Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
        Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
        Cipher Suite: TLS_DH_DSS_WITH_AES_256_GCM_SHA384 (0x00a5)
        Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3)
        Cipher Suite: TLS_DH_RSA_WITH_AES_256_GCM_SHA384 (0x00a1)
        Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
        Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
        Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
        Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA256 (0x0069)
        Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA256 (0x0068)
        Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
        Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
        Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA (0x0037)
        Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA (0x0036)
        Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
        Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
        Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0086)
        Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0085)
        Cipher Suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019)
        Cipher Suite: TLS_DH_anon_WITH_AES_256_GCM_SHA384 (0x00a7)
        Cipher Suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256 (0x006d)
        Cipher Suite: TLS_DH_anon_WITH_AES_256_CBC_SHA (0x003a)
        Cipher Suite: TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA (0x0089)
        Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032)
        Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02e)
        Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a)
        Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xc026)
        Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
        Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
        Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
        Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
        Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
        Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
        Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
        Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
        Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
        Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
        Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
        Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
        Cipher Suite: TLS_DH_DSS_WITH_AES_128_GCM_SHA256 (0x00a4)
        Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
        Cipher Suite: TLS_DH_RSA_WITH_AES_128_GCM_SHA256 (0x00a0)
        Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
        Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
        Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
        Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA256 (0x003f)
        Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA256 (0x003e)
        Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
        Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
        Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA (0x0031)
        Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA (0x0030)
        Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a)
        Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099)
        Cipher Suite: TLS_DH_RSA_WITH_SEED_CBC_SHA (0x0098)
        Cipher Suite: TLS_DH_DSS_WITH_SEED_CBC_SHA (0x0097)
        Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
        Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)
        Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0043)
        Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0042)
        Cipher Suite: TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018)
        Cipher Suite: TLS_DH_anon_WITH_AES_128_GCM_SHA256 (0x00a6)
        Cipher Suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256 (0x006c)
        Cipher Suite: TLS_DH_anon_WITH_AES_128_CBC_SHA (0x0034)
        Cipher Suite: TLS_DH_anon_WITH_SEED_CBC_SHA (0x009b)
        Cipher Suite: TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA (0x0046)
        Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)
        Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)
        Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
        Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)
        Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
        Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
        Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
        Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
        Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
        Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)
        Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
        Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007)
        Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
        Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
        Cipher Suite: TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016)
        Cipher Suite: TLS_DH_anon_WITH_RC4_128_MD5 (0x0018)
        Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)
        Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)
        Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
        Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
        Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
        Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
        Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
        Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
        Cipher Suite: TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA (0x0010)
        Cipher Suite: TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA (0x000d)
        Cipher Suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017)
        Cipher Suite: TLS_DH_anon_WITH_3DES_EDE_CBC_SHA (0x001b)
        Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
        Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
        Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
        Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

Here's the cipher suites offered by .NET for Windows (TLS 1.0 is default unless different SslProtocol specified in call to AuthenticateAsClient)

Handshake Protocol: Client Hello
    Handshake Type: Client Hello (1)
    Length: 107
    Version: TLS 1.0 (0x0301)
    Random
    Session ID Length: 0
    Cipher Suites Length: 22
    Cipher Suites (11 suites)
        Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
        Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
        Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
        Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
        Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
        Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
        Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
        Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
        Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
        Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
        Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

One way to solve this in corefx would be to add something akin to Xamarin's ClientCipherSuitesCallback to the ServicePointManager.

Possible workarounds:

See workaround posted in Add SmtpClient support #14288.
See Microsoft knowledge base article on how to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll (applicable to Windows only).

The text was updated successfully, but these errors were encountered:

Priya91 · 2017-01-21T00:58:17Z

@tewarid Would you like to come up with an api proposal? The proposal should explain the usage scenarios and the API design.

tewarid · 2017-02-02T17:19:53Z

@Priya91 Switching to TL 1.2 has eliminated the need for a customized cipher suite list in my case. I don't have a reason to justify pursuing this further. Please reopen if needed.

tewarid closed this as completed Feb 2, 2017

msftgits transferred this issue from dotnet/corefx Jan 31, 2020

msftgits added this to the 2.0.0 milestone Jan 31, 2020

Drawaes mentioned this issue Jan 31, 2020

SSLStream Allow Configuration of CipherSuites #23818

Closed

ghost locked as resolved and limited conversation to collaborators Dec 26, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Allow changing cipher suites offered in SSL/TLS handshake #19914

Allow changing cipher suites offered in SSL/TLS handshake #19914

tewarid commented Jan 13, 2017

Priya91 commented Jan 21, 2017

tewarid commented Feb 2, 2017

Allow changing cipher suites offered in SSL/TLS handshake #19914

Allow changing cipher suites offered in SSL/TLS handshake #19914

Comments

tewarid commented Jan 13, 2017

Priya91 commented Jan 21, 2017

tewarid commented Feb 2, 2017