Geek Answers Handbook

How to add to the cipher suites available to the ASP.NET HttpRequest client?

When my ASP.NET website runs in a Windows 7 window, it can connect (programmatically as a โ€œclientโ€) to an encrypted SSL service (โ€œserverโ€) on another Windows 7 machine.

But if my site is in a production box (Windows Server 2003), the service window log displays:

A TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. Failed to complete SSL connection request.

(the service uses a self-signed certificate created by makecert.exe, but I donโ€™t see how to make makecert allow more cipher suites ... or am I installing something on 2003 boxes ...? This: https://serverfault.com/ questions / 166750 does not work for me because I do not use CSR)

+3
source share
1 answer

The solution was to create my certificate again, this time forcing RSA and SHA1 (although SHA1 should still be the default anyway). For some reason, Win Server 2k3 could not or did not use the correct ciphers with the default makecert certificate. Here is the command line that worked for me:

makecert -pe -r -ss my -sr localMachine -n โ€‹โ€‹"CN = domainnameoripaddressgoeshere.com" -e 01/01/2098 -a sha1 -eku 1.3.6.1.5.5.7.3.1 -i exchange -sp "Provider cryptographic data of RSA SCA server "-sy 12

For more details see http://mgowen.com/2013/06/19/cipher-suites-issue/ and http://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.110).aspx .

If someone finds that it really wants to know about cipher suites, here are some things I found along a path that might help you:

  • You can add two RSA encryption sets to a Windows 2003 server with this hotfix: http://support.microsoft.com/kb/948963
  • You can see which ciphers are supported in regedit (Windows registry editor) under HKLM \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Ciphers
  • You can use IIS Crypto (a free encryption application, https://www.nartac.com/Products/IISCrypto/ ) to view and enable / disable ciphers (including these hotfix ciphers above).
+5
source

More articles:


All Articles