when i use this code block about TlsCipherSuite, i get this error "SSL routines:tls_post_process_client_hello:no shared cipher". can you give some advice?
public static KestrelServerOptions ListenSera(this KestrelServerOptions options, SeraSettings seraSettings)
{
options.Listen(IPAddress.Parse(seraSettings.ListenIP), seraSettings.Port, listenOptions =>
{
listenOptions.UseConnectionLimits(veraSettings.ConnectionLimit);
listenOptions.UseHttps(adapterOptions =>
{
adapterOptions.OnAuthenticate = (context, authenticationOptions) =>
{
authenticationOptions.CipherSuitesPolicy = new CipherSuitesPolicy(new[]
{
TlsCipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TlsCipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
});
};
adapterOptions.SslProtocols = SslProtocols.Tls12;
adapterOptions.CheckCertificateRevocation = false;
adapterOptions.HandshakeTimeout = TimeSpan.FromSeconds(veraSettings.TlsHandshakeTimeout);
adapterOptions.ClientCertificateMode = ClientCertificateMode.AllowCertificate;
adapterOptions.ServerCertificate =
new X509Certificate2(Path.Combine("certs", veraSettings.ServerCertificateFilename),
veraSettings.ServerCertificatePassword);
adapterOptions.AllowAnyClientCertificate();
});
listenOptions.UseConnectionLogging();
listenOptions.UseConnectionHandler<VeraKecManager>();
});
return options;
}
}
CodePudding user response:
This means that the ciphers you offered to the server are not available in the server. For some unknown reason you only offered these two ciphers:
TlsCipherSuite.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TlsCipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
The first one is using plain DHE is key exchange, which is slow and thus often not enabled in the server (too much load on the server). In the second cipher you offer ECDHE as key exchange which is much faster and usually available. But you offer it only in connection with ECDSA which means that the server needs an ECC certificate and not the more common RSA certificate.
In general, it is not a good idea to change the offered ciphers from the defaults. It is even worse if these are restricted to only a few ones for a reason you cannot explain. In general, you should never change security settings without understanding what these are actually doing and what implications the change has, since this might not only make your code not working but it might actually work but in an insecure way. Thus, better leave any security settings at their default and change only these, were the default is not sufficient.
CodePudding user response:
I guess there are a few more thing you can do to diagnose the problem.
try to run Wireshark and listen to the TLS handshake packets. If you take a close look you should see which cipher suites are being offered by the client and server.
If you are using windows, check the registry (Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002\Functions). This key should list all cipher suites on your machine.
If you are using a certificate, check what sort of cipher suite is mentioned and if any elliptic curves are used. In my case, the certificate mentioned NistP521 curve (Public key parameters ECDSA_P521) which is not enabled by default in windows. I had to modify the registry to enable it (I changed registry value Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002\Functions\EccCurves from: curve25519 NistP256 NistP384
to
curve25519 NistP256 NistP384 NistP521
Hope any of the above will put you on the right track.