Sunday, 6 November 2011

Null Ciphers in .NET Framework.

We get some strange requests at work form time to time, the last one? Can you use null ciphers for SSL traffic in IIS?

If you are wondering why you might want to do this, I don't have a ready answer to be honest. In *nix land, this isn't a major problem, but IIS does not support it at all (at least for versions 5-7.5).
To be able to handle a Null cipher, Schannel needs to have certain values

dwMinimumCipherStrength
Minimum bulk encryption cipher strength, in bits, allowed for connections. If this member is zero, SCHANNEL uses the system default.
If this member is -1, only the SSL3/TLS MAC-only cipher suites (also known as NULL cipher) are enabled.

dwMaximumCipherStrength
Maximum bulk encryption cipher strength, in bits, allowed for connections. If this member is zero, SCHANNEL uses the system default.
If this member is -1, only the SSL3/TLS MAC-only cipher suites (also known as NULL cipher) are enabled. In this case, dwMinimumCipherStrength must be set to -1.

However - it is not these properties alone. You cannot enable NULL ciphers through the registry only. The SCHANNEL caller has to OPT IN by passing -1 to the appropriate fields in the SCHANNEL cred. IIS does not allow NULL ciphers as they do not pass in -1 to the SCHANNEL cred.
This leaves you needing some sort of proxy server that accepts Null Ciphers for the SSL handshake so that the proxy completes the handshake and then forwards the request to IIS.

If you wanted to create your own proxy, this is probably a very bad idea by the way, the .NET framework can help you. From version 4.0, it is possible to allow null ciphers on the SSLStream constructor by simply setting Encryption policy to AllowNoEncryption, like this:

   1 SslStream sslStream = new SslStream(myclient.GetStream(), false, null, null, EncryptionPolicy.AllowNoEncryption);

where myclient is a TcpClient object.

I still have to ask why, though, why?

2 comments:

  1. Hi,

    I use windows 7 and Internet Explorer. They use Schannel for SSL-TLS.

    I'm wondering if this is the same thing i have to do to enable NULL cipher. Indeed, juste add a key NULL under Ciphers with a DWORD Enabled of value 0xffffffff doesn't change anything.....

    But i don't know how put dwMinimumCipherStrength credential to the value -1 on windows 7...

    Maybe you have an idea?

    Thank

    K

    ReplyDelete
    Replies
    1. What exactly are you trying to do?

      Your comment suggest a client side issue, whereas this post refers to server side

      Delete