0

I'm being told that the following ciphers are supported for an https endpoint:

TLS 1.2 (suites in server-preferred order)

  • TLS1.2_ECDHE_RSA_AES_128_GCM_SHA256
  • TLS1.2_DHE_RSA_AES_256_GCM_SHA384
  • TLS1.2_DHE_RSA_AES_128_GCM_SHA256

I have a Windows service in C# (.Net Framework 4.7.2) running on a Windows Server 2008R2 which will try to reach the https endpoint via a HttpClient PostAsync call.

How can I tell if any of the ciphers are enabled on Win2008r2 and which will be used?

The weird thing I must state is that on my dev machine (Win10 x64) I can reach the https endpoint without a problem. I have the appropriate Firewall exceptions in place on the Win2008r2 server.

I've been around the horn on this, checking various registry keys on the Win2008r2 and trying various settings for the ServicePointManager.SecurityProtocol (default, Tls12 etc.) in my codebase.

This is another ditch effort to try and figure out why my Win10 dev machine works and the Win2008R2 doesn't.
BTW here is the error I get from the Win2008r2 server:

No connection could be made because the target machine actively refused it xxx.xxx.xx.xxx:443

user3297833
  • 141
  • 2
  • 9
  • You could use a [tool like Wireshark](https://security.stackexchange.com/questions/142939/determine-ssl-tls-version-using-wireshark) to see the tcp handshake going on. It – Crowcoder Mar 04 '21 at 13:10
  • Wireshark is really a heavy handed approach and I'll have to get a network guy involved. I'm trying to resolve without that type of deep dive but thanks for the suggestion. – user3297833 Mar 04 '21 at 13:12
  • 1
    Maybe [this](https://stackoverflow.com/questions/62610835/how-can-i-get-negotiated-tls-version-used-in-httpclient-post-requests)? – Crowcoder Mar 04 '21 at 13:14
  • Yes -- I'll try that -- excellent find -- I'll post what I find – user3297833 Mar 04 '21 at 13:16
  • For really understanding what is sent and received Wireshark is the best option. You only need the SSL/TLS handshake, especially the CLIENT_HELLO message to se what SSL/TLS version is used and what ciphers are supported by the client. For Vista/2008r2 TLS details see also https://learn.microsoft.com/en-us/windows/win32/secauthn/schannel-cipher-suites-in-windows-vista Note that the list only contains ciphers with SHA1, therefore I would assume this is your problem. As Win2K8 is a little outdated it may be a good idea to switch to a more recent server version. – Robert Mar 04 '21 at 13:28

1 Answers1

0

Thanks Crowcoder for pointing out that previous article on .Net Tracing. I included the two classess into my code and was able to see the trace and the tls version I'm using clearly:

System.Net Information: 0 : [25532] ConnectStream#62696216::ConnectStream(Buffered -1 bytes.) System.Net Information: 0 : [25532] Associating HttpWebRequest#36963566 with ConnectStream#62696216 System.Net Information: 0 : [25532] Associating HttpWebRequest#36963566 with HttpWebResponse#31071611 System.Net Information: 0 : [25532] ContentLength=-1 System.Net Information: 0 : [25532] TlsStream#63566392::.ctor(host=xxx.yyyyzzz.com, #certs=0, checkCertificateRevocationList=False, sslProtocols=Default, Tls12) System.Net Information: 0 : [25532] Associating HttpWebRequest#57416410 with ConnectStream#24004906 System.Net Information: 0 : [25532] HttpWebRequest#57416410 - Request: POST /ImportAssignment HTTP/1.1

user3297833
  • 141
  • 2
  • 9