EldoS | Feel safer!

Software components for data protection, secure storage and transfer

HttpWebRequest with OS independent ciphers

Posted: 10/13/2015 08:13:32
by Fabian Huegle (Basic support level)
Joined: 10/13/2015
Posts: 2


we are developing a client side module that will create a https request with certificate to a 3rd party web server. The data exchange requires both certificates as well as TLS 1.0 or higher. We have verified the implementation with a Win 7 / Win 8 desktop PC. Everything is fine.

The target machine however is an embedded device with Windows 2009 Standard Embedded (hence a Win XP SP3). Creating the same requests to the server result in a failed handshake. We have analyzed that this is probably due to the server restrictions on ciphers. The XP Embedded machine only provides RC4 ciphers from OS level. The server probably expects AES ciphers with 256 bit.

We are therefore looking for a library that would provide us with that functionality independent from OS. I have attached the current client code sending the message.

In short:
HttpWebRequest httpWebRequest = (HttpWebRequest)WebRequest.Create("...");
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
ServicePointManager.ServerCertificateValidationCallback =
sender, certificate, chain, errors) =>
if (m_RemoteCertificateValidationCallback != null)
return m_RemoteCertificateValidationCallback(sender, certificate, chain, errors);
return errors == SslPolicyErrors.None;

Stream requestStream = httpWebRequest.GetRequestStream();
// the TLS handshake fails here as analysed with wireshark
// client sends TLS hello with the available cipher suite
// server sends alert
// in the good case with win 7/8 the client sends bigger cipher suite to server
// including aes ciphers
// server sends hello with chosen chipher RSA, AES 256, SHA

Can your library provide that functionality? How would the above code (full code in attached pdf be replaced?

Best regards,

[ Download ]
Posted: 10/13/2015 08:20:09
by Vsevolod Ievgiienko (Team)

Thank you for contacting us.

You can use our TElHTTPSClient component to replace your code: https://www.eldos.com/documentation/sb...lient.html

You can also use HTTPPost sample that is included into SecureBlackbox evaluation package as a reference.

The package can be downloaded here: https://www.eldos.com/sbb/download-release.php#product
The sample is located in \EldoS\SecureBlackbox.NET\Samples\C#\HTTPBlackbox\Desktop\Client\HTTPPost folder after SecureBlackbox installation.
Posted: 10/14/2015 02:27:55
by Fabian Huegle (Basic support level)
Joined: 10/13/2015
Posts: 2

OK. I am trying to replace the Load Certificates lines of code.

        private void LoadRootCA(string rootCAPath)
            if (File.Exists(rootCAPath))
                RootCA = new X509Certificate2(rootCAPath);

                var certStore = new X509Store(StoreName.Root, StoreLocation.LocalMachine);

        private void LoadWebCA(string webCAPath)
            if (File.Exists(webCAPath))
                WebCA = new X509Certificate2(webCAPath);

        private void LoadPwd(string pwdPath)
            if (File.Exists(pwdPath))
                pwd = File.ReadLines(pwdPath).First();

        private void LoadClientCert(string pfxPath)
            if (!File.Exists(pfxPath))

            ClientCA = new X509Certificate2(pfxPath, pwd);

        private void CreateChain()
            var chain = new X509Chain(false);
            if (RootCA != null)
            if (WebCA != null)

            chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
            X509Chain = chain;

It does not load the WebCA and ClientCA with the following code:
            TElX509Certificate rootCA = new TElX509Certificate();
            rootCA.LoadFromFileAuto("..\\..\\Root-CA2009.crt", "");

            TElX509Certificate webCA = new TElX509Certificate();
            rootCA.LoadFromFileAuto("..\\..\\Web2-CA2009.crt", "");

            TElX509Certificate clientCA = new TElX509Certificate();
            rootCA.LoadFromStreamAuto(new FileStream("..\\..\\tst-regio-kreuz-bremen-20150608-01.noncd.db.de.p12", FileMode.Open), "trkb-01", 1);

The properties of WebCA and ClientCA are always empty. RootCA does work. Any sugestions?
Posted: 10/14/2015 02:49:17
by Eugene Mayevski (Team)

You are calling rootCA.LoadFromFileAuto instead of webCA.LoadFromStreamAuto and clientca.LoadFromStreamAuto. Please change the calls and everything will work.

On a side note it would help a lot if you used CODE button located above the text entry box (alternatively you can write [ CODE ] and [ /CODE ] tags by hand) to mark the beginning and the end of the code blocks in your messages. This would enable syntax highlighting and line numbering on the code and make it easier for analysis.

Sincerely yours
Eugene Mayevski



Topic viewed 2686 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!