'Defining an own TlsCipherSuite in ASP.Net
I'm building a WebService using ASP.Net. At the moment the Service is running local and I checked the allowed TLS Versions and Ciphren using NMAP. My Result was this
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp384r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp384r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
|_ least strength: C
I now want to define my own CipherSet in ASP.Net I tried using the examples from the Microsoft documentation for kestrel https://docs.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel?view=aspnetcore-3.1#listenoptionsprotocols
My Code looks like this:
webBuilder.UseKestrel(kestrelOptions =>
{
kestrelOptions.ConfigureHttpsDefaults(httpsOptions =>
{
httpsOptions.SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls13;
httpsOptions.OnAuthenticate = (connectionContext, authenticationOptions) =>
{
var ciphers = new List<TlsCipherSuite>()
{
TlsCipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TlsCipherSuite.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TlsCipherSuite.TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TlsCipherSuite.TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
TlsCipherSuite.TLS_PSK_WITH_AES_128_GCM_SHA256,
TlsCipherSuite.TLS_PSK_WITH_AES_256_GCM_SHA384,
TlsCipherSuite.TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,
TlsCipherSuite.TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,
TlsCipherSuite.TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
TlsCipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TlsCipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TlsCipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TlsCipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TlsCipherSuite.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
TlsCipherSuite.TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
TlsCipherSuite.TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256,
TlsCipherSuite.TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384,
TlsCipherSuite.TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256,
TlsCipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM,
TlsCipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM,
TlsCipherSuite.TLS_DHE_RSA_WITH_AES_128_CCM_8,
TlsCipherSuite.TLS_DHE_RSA_WITH_AES_256_CCM_8,
TlsCipherSuite.TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
TlsCipherSuite.TLS_PSK_WITH_AES_128_CCM,
TlsCipherSuite.TLS_PSK_WITH_AES_256_CCM,
TlsCipherSuite.TLS_DHE_PSK_WITH_AES_128_CCM,
TlsCipherSuite.TLS_DHE_PSK_WITH_AES_256_CCM,
TlsCipherSuite.TLS_PSK_WITH_AES_128_CCM_8,
TlsCipherSuite.TLS_PSK_WITH_AES_256_CCM_8,
TlsCipherSuite.TLS_PSK_DHE_WITH_AES_128_CCM_8,
TlsCipherSuite.TLS_PSK_DHE_WITH_AES_256_CCM_8,
TlsCipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
TlsCipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
TlsCipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
TlsCipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
TlsCipherSuite.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
};
authenticationOptions.EnabledSslProtocols = SslProtocols.Tls12 | SslProtocols.Tls13;
authenticationOptions.CipherSuitesPolicy = new CipherSuitesPolicy(ciphers);
};
});
});
As soon as I start the WebService I´m getting this Exception:
System.PlatformNotSupportedException: "CipherSuitesPolicy is not supported on this platform."
Is there something I need to import to make this work?
Solution 1:[1]
I think i have a solution. The CipherSuitesPolicy seems to be only available for Linux and MacOS. For Windows i have to deactivate certain ciphers in the registry
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /v Enabled /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /v Enabled /d 0 /t REG_DWORD /f
This solution works for me. The WebService is now using just strong ciphers
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Handas |