Professional Documents
Culture Documents
Search
RELATED ARTICLES
INTRODUCTION TO TLS AND CIPHER SUITES
A cipher suite is a set of algorithms that computers agree to use to protect data passing between them. It is akin to a Error: Uninstall an MSI a
fails asking for path of o
spoken language between humans. With humans we have an idea, and that idea is transformed from its raw thought into
SSL Handshake Troubles
words and is is passed passed back and forth to other humans using verbal and written encoding in the form of talking
Scanafi 2.2.2 is live!
and writing letters. Both humans involved in the conversation have to understand the same language. It is the same with Info: What's new in Vena
Protection Platform 19.2
computers. With computers, the raw data can undergo several such transformations such as binary encoding, encryption,
Info: How do I check my
message validation checks and authentication. These sets of transformations we will call algorithms. Each of those named
Communication?
categories have several competing algorithms. Because there are more than one algorithm, the computers have to choose
SRP IDEA
PSK DES
Camellia
ChaCha20
If the connected computers don't both support a full set of the same algorithms then they cannot have a meaningful
exchange. In this case, the computers will disconnect and show the user a message like "TLS session failed". The different
algorithms are called ciphers in the security world. A set of these ciphers used in tandem to create a secure connection is
TLS is the protocol used to help computers decide which cipher suite to use. It defines how to authenticate the computers
to each other, and how they will let each other know which cipher suites they support. Simply put, it is the "S" in HTTPS.
TLS is the protocol used to secure the internet and most other secure softwares.
offered by the client, the server will continue the conversation using the chosen suite. However, if there is no overlap
between the suites the client offers, and the ones the server is willing to use, the server will terminate the conversation
Tools
We are going to use a browser to do the easy investigation. We will use Powershell 5.1 or greater to get a list of supported
Cipher Suites in .NET. Then we are going to dig deeper into the conversation between the computers using Wireshark
Download Powershell
Download Wireshark
If you go to a secure website or service using Chrome you can see which cipher suite was negotiated. Any HTTPS site will
1. Go to https://www.venafi.com/
3. At the top of the developer tools window, you will see a tab called security. Click it.
it.
You can see above that in the secure connection settings section that
The last part is the encryption algorithm, AES 128 bit with GCM
It is important to note that if you can often connect to services with Chrome when other applications fail. This is because
Chrome implements its own version of the Cipher suites, so it is not dependent on what the OS is capable of. You can use
this to validate that the server is functioning and that it can in fact create a TLS1.2 session using strong ciphers.
By default, Windows and .NET have less secure cipher suites disabled. This means that they are not offered to servers as an
option. Earlier versions of Windows Server do not support some of the more modern cipher suites. For a complete list of
https://docs.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel
That web page also shows you how to format the cipher suites configured in Windows. It is important to note from that
article which cipher suites are available by default in each version of Windows. If the suite you are looking for is enabled by
default, you shouldn't need to change registry settings in order to explicitly enable it.
PowerShell
CipherSuite Name
----------- ----
4866 TLS_AES_256_GCM_SHA384
4865 TLS_AES_128_GCM_SHA256
0 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
49195 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
49200 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
49199 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
159 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
158 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
0 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
49187 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
49192 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
49191 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
49162 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
49161 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
49172 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
49171 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
157 TLS_RSA_WITH_AES_256_GCM_SHA384
156 TLS_RSA_WITH_AES_128_GCM_SHA256
61 TLS_RSA_WITH_AES_256_CBC_SHA256
60 TLS_RSA_WITH_AES_128_CBC_SHA256
53 TLS_RSA_WITH_AES_256_CBC_SHA
47 TLS_RSA_WITH_AES_128_CBC_SHA
10 TLS_RSA_WITH_3DES_EDE_CBC_SHA
59 TLS_RSA_WITH_NULL_SHA256
2 TLS_RSA_WITH_NULL_SHA
0 TLS_PSK_WITH_AES_256_GCM_SHA384
168 TLS_PSK_WITH_AES_128_GCM_SHA256
175 TLS_PSK_WITH_AES_256_CBC_SHA384
174 TLS_PSK_WITH_AES_128_CBC_SHA256
177 TLS_PSK_WITH_NULL_SHA384
176 TLS_PSK_WITH_NULL_SHA256
PowerShell will show you which cipher suites are available to .NET. This list shows the CipherSuite number (universal) and
the name that Windows machines use to describe the suite. Linux machines will use a different format on the name,
although it will be similar, however the suite number will be the same.
Wireshark is an awesome tool for digging deep into what the network is actually sending. It can listen to anything sent over
the network card and log every packet so you can see the whole conversation. Go to their docs page to learn how to use
Wireshark to its fullest. However, for this exercise, we will do a simple capture of the browser's conversation with the
1. Open wireshark
5. Click Start
You should have seen a bunch of packets get captured. The ones we are interested in will be at the beginning of the
capture. Find the one that says Client Hello in the info field.
If you expand all the nodes after the Transport Layer Security node, you can see all the cipher suites that were offered to
the server.
Now look at the Server Hello packet. In this screen capture it was two packets down. This shows which of the offered
An astute person would have noticed that the ciphers offered in the Client Hello above were not the same cipher suites that
PowerShell said we have available. That is because Chrome uses their own list of usable ciphers, and .NET honors the OS
Now if you look at the Client Hello in this capture, you will see that instead of 16 entries offered, 21 were offered
In the end, however, the server still picked the same cipher suite.
When the server doesn't find a cipher suite in the Client Hello that it likes, it will send a session termination packet instead
of a Server Hello. When this happens, double check with the server's administrator to see if any of the offered cipher suites
should have been acceptable. If they are not, then you will have to add them to the Windows registry manually activating
those ciphers.
https://support.microsoft.com/en-us/help/4032720/how-to-deploy-custom-cipher-suite-ordering-in-windows-server-2016
Keep in mind that some cipher suites are not available on older Windows Servers, so even if they are enabled in the
registry, they will not be offered to the server in the Client Hello.
Comments