Reputation: 63
C# HttpWebRequest verify/specify which cipher used
I am working on a .NET 4.0 application that needs to make connections to a website server. I've been getting the following error on and off periodically (pattern appears to start around lunch and happens in clusters) "The underlying connection was closed. An unexpected error occurred on a send." Everything I've seen relating to this error is pointing me towards a TLS error. I used SSLLabs to determine that the remote server is using TLS 1.1 and TLS 1.2, but without only a few ciphers available. I suspect that the connection being created by the application is occasionally trying to use a cipher that isn't supported, and this error is being hit.
Because of the sensitivity of the production environment and the semi-randomness of the timing of this error, I'm not able to run a wireshark or Fiddler test on the server to determine what cipher is being used during failures. I've verified the application IS using TLS 1.2, however.
Is there any way to access from the application programmatically what cipher(s) are being used by the HttpWebRequest object, or is there a way to specify from the application which cipher to use?
Upvotes: 6
Views: 8059
Answers (2)
Reputation: 2472
You can find out the debug info for Schannel (which is the SSL tool/device that does the SSL handshake) here:
By default, Microsoft SSL only logs serious SSL connection errors to the event log. However, you can change the level of SSL connection information logged here by making a Windows registry change. First, make sure the following REG_DWORD registry entry exists. (Add it if it does not.)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging
Next, set the value of this new entry to '7'. From this point on you should see Schannel events show up in your System event log on that server.
For more information, please see the following Microsoft KB article:
http://support.microsoft.com/kb/260729
Upvotes: 0
Reputation: 1533
I had a similar issue a few months ago and I remember reading somewhere that the negotiation of the cipher suite is done by the OS (Schannel in the case of Windows), I couldn't find a way to control this from within the .NET framework.
The following articles were helpful to me in order to better understand the .NET framework behavior around this (which is different between versions).
Transport Layer Security (TLS) best practices with the .NET Framework
SCH_USE_STRONG_CRYPTO flag (which was relevant in my case)
EDIT:
This is the article (by Troy Starr [MSFT]) that helped me to understand my problem: https://community.qualys.com/thread/16917-net-framework#comment-35829
Upvotes: 4
Related Questions
- Detecting TLS Version used for HttpClient POST or GET calls
- How to handle HttpWebRequest C# with Tls 1.3
- How to decrypt TLS communication in wireshark when using C# webrequests
- How can I get negotiated TLS version used in HttpClient POST requests
- Using HttpClient & HttpWebRequest for Https TLS1.2
- Check ssl protocol, cipher & other properties in an asp.net mvc 4 application
- How to specify a cipher for an SSL connection in .NET?
- How to add to the cipher suites available to ASP.NET HttpRequest client?
- Determining SSL/TLS encryption?
- How to use AES 256 cipher with HttpWebRequest