Does SslStream support anonymous Diffie-Hellman ciphersuites?

---

• From: ivo.ivanov@xxxxxxx
• Date: 14 Feb 2007 21:06:32 -0800

---

Hello,

I am trying to build SSL server using the .NET 2.0
System.Net.Security.SslStream class.
The client is beyond my control and supports only the DH anonymous
ciphersutes:
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 (0x0017)
TLS_DH_anon_WITH_RC4_128_MD5 (0x0018)
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA (0x0019)
TLS_DH_anon_WITH_DES_CBC_SHA (0x001a)
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA (0x001b)
TLS_DH_anon_WITH_AES_128_CBC_SHA (0x0034)
TLS_DH_anon_WITH_AES_256_CBC_SHA (0x003a)

I created certificate(s) with makecert.exe as described by John Howard
in
http://blogs.technet.com/jhoward/archive/2005/02/02/365323.aspx
the only difference was using -sp "Microsoft DH SChannel Cryptographic
Provider" -sy 18
(certificate generated with -sp "Microsoft RSA SChannel Cryptographic
Provider" causes
another exception: "A call to SSPI failed - The client and server
cannot communicate
because they do not possess a common algorithm"...)

The problem now is exception from EndAuthenticateAsServer()
System.NotSupportedException: The certificate key algorithm is not
supported.
at
System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult
lazyResult)
at
System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult
result)
at
System.Net.Security.SslStream.EndAuthenticateAsServer(IAsyncResult
asyncResult)

Does System.Net.Security.SslStream class support anonymous Diffie-
Hellman suites?
I hope the problem is with the certificate... unfortunately the value
returned by
X509Certificate.GetKeyAlgorithm() method: "1.2.840.10046.2.1" doesn't
tell me
much, other than confirming the Microsoft DH Schannel Cryptographic
Provider...

Any help is appreciated.

Thanks,
Ivo

.

---

• Prev by Date: Re: RsaCryptoServiceProvider doubt
• Next by Date: Re: RsaCryptoServiceProvider doubt
• Previous by thread: RsaCryptoServiceProvider doubt
• Next by thread: How to generate validationKey ??
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: OWA, IIS and SSL ... When a client computer that is running Microsoft Internet Explorer attempts ... to enroll for a certificate against a Windows NT 4.0 version 1 ... (microsoft.public.inetserver.iis.security) RE: Client Certificate Error ... The client works on the other two sites. ... upgrade to IE5 SP2 ... >> Subject: Client Certificate Error ... >© 2001 Microsoft Corporation. ... (microsoft.public.inetserver.iis.security) An NTE_BAD_DATA error returned by CryptDecrypt() ... Microsoft Certificates and Crypto API. ... Currently the SSL connection between my client and server works, ... "Microsoft Enhanced Cryptographic Provider v1.0", ... I created the user certificate and its trust point, ... (microsoft.public.security) RE: OWA, IIS and SSL ... certificate on to an external workstation that has IE ... >I've come across another error on the client side. ... >select browser type, which does NOT include IE5.5 or 6, ... >>>When a client computer that is running Microsoft ... (microsoft.public.inetserver.iis.security) Re: Certificate Question ... > used on the site does not chain to a trusted root CA certificate on the ... > client machine or the SSL server certificate on the OWA site does not ... (microsoft.public.win2000.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.dotnet.security  > 2007-02