471,602 Members | 1,238 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,602 software developers and data experts.

Configure SSL Encryption Strength

Short version:
Is there a way to configure (preferably programmatically) the max encryption
strength that will be used by the framework when connecting to a particular
SSL-protected web service?

Long version:
Historically, browsers could only be exported to certain countries if they
supported only 40 and 56 bit encryption; 128 bit was restricted. I believe,
based on my readings thus far, that this refers to the strength of the
symmetric key which is negotiated during the SSL handshake and subsequently
used on all data transferred during the session.

I also understand from my readings that the handshaking/negotiation process
attempts to automatically identify and use the strongest encryption supported
by both parties (and in fact, in older versions of SSL, the possibility of
intercepting and altering the support lists was a very real shortcoming of
the protocol).

The above suggests to me that there must be some means provided by the .NET
framework by which I can have control over the maximum strength which a
client application will report it supports to a web service hosted on a
server. Naturally, whether the server will allow that encryption strength is
left to the server configuration.

Unfortunately, I can find no documentation or other material about this
subject. Is there a way to control the max supported encryption strength
that the framework reports to the server? I am specifically speaking about
using the 2.0 framework and using a class deriving from
HttpWebClientProtocol. If there is another approach that would more easily
allow this capability, I'm all ears.

It might be useful to note that I am using client authentication; therefore
a client certificate is also involved. Is it possible that I am incorrect in
my assumptions that this would be controlled by the framework, and that it is
instead determined by content of the certificates? The certificates have
their own strength, but as I understand that is separately used by only the
private-key negotiation process.
Feb 28 '07 #1
1 2929
For anybody who reads this thread, I just came accross something that
suggests the encryption strength may in fact be dictated by the key length of
the server/client certificates. Assuming I can trust this article, I guess
my question is thus answered.

From
http://www.microsoft.com/technet/pro...y/c06iis.mspx:

"When a user attempts to establish an SSL session with your Web server, the
user's browser and the server use the bit length of their encryption keys to
determine the strongest level of encryption possible. If the encryption keys
use 512 bits, the level of encryption is set to 40 bits. If the encryption
keys use 1024 bits, the level of encryption is set to 128 bits. Other key bit
lengths and encryption levels are available."
Mar 1 '07 #2

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

3 posts views Thread by dracolytch | last post: by
34 posts views Thread by Blake T. Garretson | last post: by
14 posts views Thread by Xarky | last post: by
14 posts views Thread by david | last post: by
3 posts views Thread by 2803stan | last post: by
1 post views Thread by XIAOLAOHU | last post: by
reply views Thread by leo001 | last post: by
reply views Thread by MichaelMortimer | last post: by
reply views Thread by CCCYYYY | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.