Porting SSL application from Java to C#

Question

I'm porting a java client for mumble to C# and I've hit a bit of a brick wall.

In java, the SSL socket is initiated like so:

final SSLContext ctx_ = SSLContext.getInstance("TLS");
ctx_.init(null, new TrustManager[] { new LocalSSLTrustManager() }, null);
final SSLSocketFactory factory = ctx_.getSocketFactory();
final SSLSocket sslSocket = (SSLSocket) factory.createSocket(hostAddress, port);
sslSocket.setUseClientMode(true);
sslSocket.setEnabledProtocols(new String[] { "TLSv1" });
sslSocket.startHandshake();

I've ported this to C# like this:

return ssl = new SslStream(netStream, false, (a, b, c, d) => true); //For now, accept any cert
ssl.AuthenticateAsClient(serverName);

Now, this does actually establish a connection, but it's using AES128 and the mumble protocol requires AES256 so the server appears to then ignore anything I send on this socket.

Is my code correctly ported? And is there a way to force C# to use AES256 for this connection?

Answer 1

No your code is fine, By defualt, however, windows appears not to enable AES256 support because TLS 1.2 is not enabled. Java uses its own SSL implementation which evidently does support it. As a result, when negotiating with the server usng c#, AES128 is selected because its the strongest cipher windows supports by default.

According to this site running the following powershell script should enable AES256 in TLS and fix your issue. I'd make sure its not doing anything funny before running it.

# Enables TLS 1.2 on Windows Server 2008 R2 and Windows 7
# June 27, 2010
# Version 1.2
# These keys do not exist so they need to be created prior to setting values.

md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2"

md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server"

md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"

# Enable TLS 1.2 for client and server SCHANNEL communications

new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "Enabled" -value 1 -PropertyType "DWord"

new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "DisabledByDefault" -value 0 -PropertyType "DWord"

new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "Enabled" -value 1 -PropertyType "DWord"

new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "DisabledByDefault" -value 0 -PropertyType "DWord"

# Disable SSL 2.0 (PCI Compliance)
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server"

new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" -name Enabled -value 0 -PropertyType "DWord"