Considering C# OpenSSL openssl-net-master

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Considering C# OpenSSL openssl-net-master

Hegazi, Amr

Hello *,

 

I’m using the last version of C# OpenSSL from https://github.com/openssl-net/openssl-net (This wrapper is based on version 1.0.2a of libeay32.dll and ssleay32.dll).

 

I’m using C# OpenSSL to test my Tls Client that supports TLS starting from version 1.2 and all the cipher suites. Moreover, I’m using Microsoft windows 7. I have already installed Microsoft visual C++ 2010 express and Microsoft visual Studio 2010.

 

I always face an error “TLSv1.2  81 - Alert (Level: Fatal, Description: Insufficient Security)”

 

I have debugged the issue. The issue come from a function called SSL_CTX_new() which is connected to ssleay32.dll. the clienthello is always sent correctly and then the OpenSSL server replies with Insufficient Security

 

The console also shows this:

.NET   HSM Received: ClientHello (188 bytes)

.NET   Offered suite by client: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) [not supported]

.NET   Offered suite by client: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) [not supported]

.NET   Offered suite by client: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025) [not supported]

.NET   Offered suite by client: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) [not supported]

.NET   Offered suite by client: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004) [not supported]

.NET   Offered suite by client: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) [not supported]

.NET   Offered suite by client: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) [not supported]

.NET   Offered suite by client: TLS_ECDH_ECDSA_WITH_NULL_SHA (0xc001) [not supported]

.NET   Offered suite by client: TLS_RSA_WITH_NULL_SHA256 (0x003b) [not supported]

.NET   Offered suite by client: TLS_RSA_WITH_NULL_SHA (0x0002) [not supported]

.NET   ALERT SENT    : Fatal InsufficientSecurity

.NET   no shared cipher suites

 

And in Wireshark shows this:

 

"3406.315537","fe80::ff:fe00:2","fe80::1:5","SSL","271","Client Hello"

"3419.805155","fe80::1:5","fe80::ff:fe00:2","TLSv1.2","81","Alert (Level: Fatal, Description: Insufficient Security)"

 

So, I think the error is in something related to configuration of ssleay32.dll

 

My code is simple and is as follows:

 

try

        {

              TestCaseBegin();

 

            Output.WriteLine("TLS Server Certificate preparation");

            CertDir = Path.GetFullPath("..\\Appl\\Certificates\\Certificate");

TlsServerCertificate = loadCertificateFromFile(Path.Combine(CertDir, @"Vector_ServerCertificate_RsaSha1_IA_pfx.pfx"), "123456");

TlsServerCaCertificates = new X509Chain(OpenSSL.Core.BIO.File(Path.Combine(CertDir, @"Vector_ServerCertificate_RsaSha1_Root_cert.cer"), "r"));

 

            Output.WriteLine("Start connection");

            TS_RcTlsConnect(TlsConnectMode.Rsa);

 

            Output.WriteLine("Send Client Hello");

            TS_WaitForTcpConnection();

 

            Output.WriteLine("make sslStreamServer");

SslStream sslStreamServer = new SslStream(tcpClient.GetStream(), true, MyRemoteCertificateValidationHandler,MyLocalCertificateSelectionHandler);

           

Output.WriteLine("Start AuthenticateAsServer");

           

sslStreamServer.AuthenticateAsServer(TlsServerCertificate, false, TlsServerCaCertificates, SslProtocols.Tls, SslStrength.All, false);

        }

 

        catch (TestStepFailException e)

{

HandleTestStepFailException(e);

Output.WriteLine(e.ToString());

             }

       catch (Exception ex)

{

PrintException(ex);

                    Output.WriteLine(ex.ToString());

             }

        finally

        {

            TestCaseEnd();

        }

 

Has anyone an idea?

 

Best Regards;

 

Amr


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Considering C# OpenSSL openssl-net-master

OpenSSL - User mailing list

If you want to use those ciphers, you need to set SECLEVEL=0 when you specify the ciphers.

I have no idea how to do that for the OpoenSSL C# binding.  Maybe post an issue on openssl-net?


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Considering C# OpenSSL openssl-net-master

Jakob Bohm-7
On 25/07/2017 19:00, Salz, Rich via openssl-users wrote:
>
> If you want to use those ciphers, you need to set SECLEVEL=0 when you
> specify the ciphers.
>
> I have no idea how to do that for the OpoenSSL C# binding.  Maybe post
> an issue on openssl-net?
>
>

When did TLS_RSA_WITH_AES_128_CBC_SHA256 and higher become
"low security"?

It looks like the client is an older product (ECDH only offered
for ECDSA certs, classic DH not offered, no algorithms above
128 bits).

So I guess the OP just needs to check if he is using an empty
cipher string or something silly like that.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Considering C# OpenSSL openssl-net-master

Jeremy Farrell
On 26/07/2017 20:58, Jakob Bohm wrote:
On 25/07/2017 19:00, Salz, Rich via openssl-users wrote:

If you want to use those ciphers, you need to set SECLEVEL=0 when you specify the ciphers.

When did TLS_RSA_WITH_AES_128_CBC_SHA256 and higher become
"low security"?

It looks like the client is an older product (ECDH only offered
for ECDSA certs, classic DH not offered, no algorithms above
128 bits).

So I guess the OP just needs to check if he is using an empty
cipher string or something silly like that.

The OP said he was testing his "Tls Client that supports TLS starting from version 1.2 and all the cipher suites". Perhaps he's found his first bug, since the client isn't offering all the TLS 1.2 cipher suites ...
-- 
J. J. Farrell
Not speaking for Oracle

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users