客户端和服务器无法通信，因为它们没有通用的算法C＃SslStream

Question

Following is my Setup for mutual SSL authentication for client/server console app on Windows 10:

1. There is a server listener console app that only accepts TLS 1.0 connections.
2. Client console application uses SslStream.AuthenticateAsClient to configure a secure connection and uses TLS 1.2 connection.
3. I am using the following example for mutual SSL authentication: http://www.codeproject.com/Articles/326574/An-Introduction-to-Mutual-SSL-Authentication

Server code:

sslStream.AuthenticateAsServer(certificate, true, SslProtocols.Tls, true);

Client code:

sslStream.AuthenticateAsClient(hostName, certificates, SslProtocols.Tls12, true);

Error:

Exception: A call to SSPI failed, see inner exception.

Inner exception: The client and server cannot communicate, because they do not possess a common algorithm

Question:

When i change the SslProtocols to be same in client and server, ie TLS 1.0, SSL handshake is successful. Why does the handshake fail when the SSL protocol is different on client and server?

Answer 1

The protocols have to be the same. You have to "negotiate" a common protocol between the server and client or they aren't able to speak the same language. The SslProtocols enum is marked as [Flags] so that you can specify multiple protocols, eg SslProtocols.Tls | SslProtocols.Tls12 SslProtocols.Tls | SslProtocols.Tls12