How to make TLS requests in .Net 4 on Windows XP to servers with SSL3 disabled?

Question

I'm supporting a Windows application built with .Net 4.0 (Visual Studio 2010) which is connecting to a variety of web services onto our Apache webservers. Due to the Poodle bug, SSL3 has been disabled on these servers. An updated version of the application is using the WebClient class with TLS enabled and can successfully connect:

using (var client = new WebClient())
{
     ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;

     client.DownloadString(uri);
}

Not our customers stuck on Windows XP however (Forcing them to upgrade the OS is unfortunately impossible). I can reproduce their error reports that SSL/TLS channels cannot be established.

Even disabling the certificate check (for testing purposes only) doesn't help:

     ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };

From my research I know that Windows XP and .Net 4.0 supports TLS 1.0, so theoretically this should still be possible. Due to the little information given in the thrown exception, I cannot find out what fails exactly.

Could this be an issue with the server configuration?

Sample URL: https://api.meteotest.ch/ssl.txt

Answer 1

At MSDN you will find the cipher suites supported by Windows XP. This shows, that XP does not support any AES cipher suites. But, as shown on SSLLabs all ciphers supported by your server are AES. Therefore there are no common ciphers between client and server and the SSL handshake will fail, which is also shown for XP in the output from SSLLabs.

Since RC4 is broken too I would not recommend to use any RC4 ciphers. So it might be the best to enable the 3DES ciphers to support XP clients, that is TLS_RSA_WITH_3DES_EDE_CBC_SHA (DES-CBC3-SHA in apache config). Of course you should put this cipher at the end, so it gets only used if the client does not support any of the other ciphers.