0

I wrote a SSL client by C#.NET Win-Forms. I added my certificate (public key) to system root store (by .NET code or manually via Internet Explorer, both works) and it works fine on Windows XP , but on Windows 7 has the following AuthenticationException when trying to AuthenticateAsClient() :
"The client and server cannot communicate, because they do not possess a common algorithm"

Microsoft support documents of list some registry keys and say something about protocols / ciphers / algorithms that are enabled (new strong ones) or disabled (old obsolete ones) by default in Windows 7, so we can enable/disable them by editing the registry. Here's those links:

How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll TLS/SSL Cryptographic Enhancements

As far as I'm not good at cryptography , I can't understand which registry key matches with my case. Here comes properties of the X509Certificate object I'm using as client:

SignatureAlgorithm.FriendlyName : "sha1RSA"
Version : 3

Could someone please help?

losingsleeep
  • 1,769
  • 7
  • 27
  • 45

2 Answers2

0

After struggling with Windows registry keys and values (worked, but was illogical, like disabling some other items!), I solved the problem by enabling and editing Windows Cipher Suite Order without changing anything in registry.

Instructions:

1 - Enter gpedit.msc in Start > Run.... The Local Group Policy Editor opens. 2 - Go to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.
3 - Double click on SSL Cipher Suite Order item on the right side.
4 - Select Enable radio button on the opened window. At the middle-left there's a text box having some comma separated text. Copy/Paste the text in an empty Notepad window.
5 - Move the items you want to be at first (in my case : TLS_RSA_WITH_RC4_128_SHA and SSL_CK_RC4_128_WITH_MD5)
6 - Replace the old text with the new one.
7 - Unlike registry , you must restart your computer now to changes take effect.

Hope it helps.

losingsleeep
  • 1,769
  • 7
  • 27
  • 45
0

The server likely tried to negotiate a SSLv3.0 connection with an AES cipher. That combination is technically illegal. See http://blogs.msdn.com/b/ieinternals/archive/2009/12/08/aes-is-not-a-valid-cipher-for-sslv3.aspx?Redirected=true

EricLaw
  • 54,427
  • 7
  • 140
  • 182