How to make TLS requests in .Net 4 on Windows XP to servers with SSL3 disabled?
I am maintaining a Windows application built with .Net 4.0 (Visual Studio 2010) that connects to various web services on our Apache web servers. Due to a Poodle bug, SSL3 has been disabled on these servers. The updated version of the application uses the WebClient class with TLS enabled and can connect successfully:
using (var client = new WebClient())
{
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
client.DownloadString(uri);
}
However, our clients are not stuck in Windows XP (unfortunately, it is not possible to force them to update the OS). I can reproduce their error reports that SSL / TLS channels could not be established.
Even disabling certificate validation (for testing purposes only) doesn't help:
ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
I know from my research that Windows XP and .Net 4.0 support TLS 1.0, so in theory this should be possible. Due to the little information provided in the thrown exception, I can't pinpoint what is failing.
Could this be a server configuration issue?
Example URL: https://api.meteotest.ch/ssl.txt
source to share
On MSDN you will find lists of ciphers supported by Windows XP. This shows that XP does not support any AES scramblers. But as shown by SSLLabs , all ciphers supported by your server are AES. Thus, there are no shared ciphers between client and server, and SSL handshaking will fail, which is also displayed for XP in the SSLLabs output.
Since RC4 is broken too, I would not recommend using any RC4 ciphers. Therefore it is best to enable 3DES ciphers to support XP clients i.e. TLS_RSA_WITH_3DES_EDE_CBC_SHA (DES-CBC3-SHA in apache config). You must of course put this cipher at the end, so it will only be used if the client does not support any other cipher.
source to share