SSL/TLS protocol version fallback mechanism

5

I'm using Microsoft Crypto API to handle SSL connections. When communicating with servers that support TLS 1.0 or higher everything works fine, but when I try to deal with server that support only SSL 3.0 InitializeSecurityContext() fails with error code 0x80090331 (SEC_E_ALGORITHM_MISMATCH).

I tried to play with SCHANNEL_CRED structure that is passed to AcquireCredentialsHandle() as pAuthData argument. Particularly it has field grbitEnabledProtocols that is supposed to control the set of supported protocols. When I set grbitEnabledProtocols=SP_PROT_SSL3, everything works fine, but it breaks the security because I want to support TLS 1.0, 1.1 and 1.2 too, and it becomes impossible to communicate with servers that have SSL 3.0 disabled for security reasons.

So the problem is:

When I set grbitEnabledProtocols=SP_PROT_SSL3TLS1_X and try to communicate with server that supports SSL 3.0 only, connection starts as TLS 1.2, then server responds with SSL 3.0 header and appropriate data. From here, according to the RFC, Crypto API should continue the handshake procedure using SSL 3.0 protocol, but instead it fails with error 0x80090331 (SEC_E_ALGORITHM_MISMATCH, the client and server cannot communicate, because they do not possess a common algorithm).

Is there any possible way to enable TLS 1.0, 1.1, 1.2 along with SSL 3.0 in MS Crypto API?

c++
visual-c++
ssl
cryptography
cryptoapi
asked on Stack Overflow Jan 14, 2014 by Mikhail Melnik • edited Jan 30, 2014 by jww

1 Answer

0

two things you can do as a part of debugging .

1> check is there a way to specify the supported protocols in the APIs you are using .

2> try to include all the encryption and hashing algorithms possible .

these two options are available in open SSL .

the best way is to debug is to use wireshark and look for what exactly the error code SSL protocol sends .

answered on Stack Overflow Jan 30, 2014 by Simal Haneef

User contributions licensed under CC BY-SA 3.0