Go Back

xfNetLink .NET client cannot connect to xfServerPlus service configured with low level encryption

Article Number: 2202
First Published:
Modified:
Recent Activity:
Views: 45
OS: Windows
Product: xfServerPlus, xfNetLink .NET

When an xfNetLink .NET client attempts to connect to an encrypted xfServerPlus service, the SSL handshake may fail because no suitable cipher suites are configured to be used by the client machine.


In the client-side log you may see the errors "A call to SSPI failed, see inner exception”, “The message received was unexpected or badly formatted”, and "Authentication failed -- closing the connection." In the Windows event viewer, you may see "Schannel" error 36887, "A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40."


When setting up the xfNetLink .NET machine for encryption, you use the SSL Cipher Suite Order dialog in the Local Group Policy Editor (gpedit.msc). This dialog controls the ability to configure available SSL cipher suites and their order of preference. In order for encrypted communication to take place, the server and the client must have at least one suite in common in the category (low, medium, high) that you specified when configuring encryption on thexfServerPlus machine. If there is currently no common cipher suite available for the server to use with the client, the handshake will fail, and you\'ll see one of the above errors.


To remedy this, you can add compatible cipher suites to the list of available ciphers on the client machine by using either the Local Group Policy Editor or by editing the registry directly. Read the IMPORTANT note below to decide which edit method you want to use.


The table below lists the cipher suites we found to be compatible with xfServerPlus. 


  Cipher Suite (RFC name)   Server Encryption level
  TLS_RSA_WITH_DES_CBC_SHA  LOW
  TLS_RSA_WITH_RC4_128_SHA  MEDIUM
  TLS_RSA_WITH_3DES_EDE_CBC_SHA  HIGH
  TLS_RSA_WITH_AES_256_CBC_SHA  HIGH
  TLS_RSA_WITH_AES_128_CBC_SHA   HIGH
  TLS_RSA_WITH_AES_128_CBC_SHA256 *  HIGH
  TLS_RSA_WITH_AES_256_CBC_SHA256 *  HIGH
  TLS_RSA_WITH_AES_128_GCM_SHA256 *  HIGH
  TLS_RSA_WITH_AES_256_GCM_SHA256 *  HIGH

 

 * These cipher suites require Synergy/DE 10.3.1b or higher. They are not supported on Windows Vista and Server 2008.


To edit the list with the Local Group Policy Editor:

  1. On the xfNetLink machine, run gpedit.msc from the Run dialog to launch the Local Group Policy Editor.
  2. In the left panel, navigate to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.
  3. In the right panel, double-click on SSL Cipher Suite Order to display the eponymous dialog.
  4. The Enabled radio button should be selected, but if it\'s not, select it now and click the Apply button. Once the feature is enabled, there will be text in the SSL Cipher Suites field in the Options panel on the left side of the dialog.
  5. Click in the field, do Ctrl + A to select all, and then copy and paste into a text editor.
  6. Edit the list in the text editor. Entries in the list must be comma-separated with no spaces and no forced line breaks. (We recommend that you add lower strength ciphers to the end of the list so that the highest available cipher will be selected if supported.)
  7. When you\'re done editing, paste the text back into the field and click OK.
  8. Reboot for changes to take effect.


IMPORTANT: The field in this dialog accepts only 1024 characters. Inexplicably, the default list (which can vary over time) is sometimes more than that, and the application itself can use up to 2047 characters. If you merely add suites to the end of the list and paste the text back into the field, it will be truncated at 1024 characters and your changes will be lost. If you know that you can safely delete some of the cipher suites, you can delete enough that the list is within the 1024 character limit before pasting the text.


But if you don\'t want to delete any cipher suites or if you just want to avoid this absurd implementation altogether, you can edit the list in the registry, where you can put in the full 2047 characters. But read the CAVEAT below first. You must select Enable and click Apply in the SSL Cipher Suite Order dialog as described above before editing the registry. (Doing this causes the necessary entries to be written to the registry.) Have your ordered list of cipher suites ready to go in your text editor. Remember, the list must be comma-separated with no spaces and no forced line breaks.


To edit the list in the registry,

  1. Complete steps 1 – 4 above to enable the feature and then close the Cipher Suite Order dialog.
  2. Open the registry and go to HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Cryptography\\Configuration\\SSL\\00010002
  3. Right-click on Functions, select Modify, then paste your cipher list into the Value data field.
  4. Close the registry and reboot for changes to take effect.


CAVEAT: When you edit the registry directly, the altered list does not display in the SSL Cipher Suite Order dialog because the aforementioned 1024 character field does not read and display the actual registry values. This leaves you with a potentially confusing situation in which the values being used may not be the ones displayed in the dialog. In addition, should someone later access the dialog and click OK, it would replace your registry edits with whatever is in that 1024 character field.


For additional information on using encryption with xfServerPlus and xfNetLink, see "Using Encryption" in the "Configuring and Running xfServerPlus" chapter of the "xfNetLink and xfServerPlus User\'s Guide".

 For additional information about Microsoft’s cipher suite support, see "Cipher Suites in Schannel" at http://go.microsoft.com/fwlink/?LinkId=517265.

 



THE INFORMATION PROVIDED TO YOU IN THIS SERVICE IS FOR YOUR USE ONLY. THE INFORMATION MAY HAVE BEEN DEVELOPED INTERNALLY BY SYNERGEX OR BY EXTERNAL SOURCES. SYNERGEX MAKES NO WARRANTIES, EXPRESS OR IMPLIED, REGARDING THIS INFORMATION, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL SYNERGEX BE LIABLE FOR ANY DAMAGES OR LOSSES INCURRED BY YOU IN USING OR RELYING ON THIS INFORMATION, INCLUDING WITHOUT LIMITATION GENERAL DAMAGES, DIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES, OR LOSS OF PROFITS, EVEN IF SYNERGEX HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Please log in to comment on this article.