How to determine Cipher Suite between IE and IIS

 

Assume you already looked at Xin’s article about How to use 256 bit SSL in IIS 6.0.

It is quite common to ask whether old version IE client will be affected after applying kb948963 which adds support for AES cipher suites in the Schannel.dll module for Windows Server 2003.

The answer is No, the old version IE client will not be affected and they still use the same cipher suite as before.

Let’s use netmon to demo how SSL works.

Assume client is IE7 on Windows Vista.

a. Client send HandShake: Client Hello to IIS server. It will use TLS 1.0 as the ClientHello header.

 

- SSLHandshake: SSL HandShake ClientHello(0x01)       HandShakeType: ClientHello(0x01)       Length: 120 (0x78)     - ClientHello: TLS 1.0      - Version: TLS 1.0         Major: 3 (0x3)         Minor: 1 (0x1)      - RandomBytes:         TimeStamp: 10/22/2010, 08:01:26 .0000 UTC         RandomBytes: Binary Large Object (28 Bytes)        SessionIDLength: 0 (0x0)        CipherSuitesLength: 24      - TLSCipherSuites: TLS_RSA_WITH_AES_128_CBC_SHA { 0x00, 0x2F }         Cipher: 47 (0x2F)      - TLSCipherSuites: TLS_RSA_WITH_AES_256_CBC_SHA { 0x00, 0x35 }         Cipher: 53 (0x35)      - TLSCipherSuites: TLS_RSA_WITH_RC4_128_SHA { 0x00,0x05 }         Cipher: 5 (0x5)      - TLSCipherSuites: TLS_RSA_WITH_3DES_EDE_CBC_SHA { 0x00,0x0A }         Cipher: 10 (0xA)      - TLSCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA { 0xC0,0x09 }         Cipher: 49161 (0xC009)      - TLSCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA { 0xC0,0x0A }         Cipher: 49162 (0xC00A)      - TLSCipherSuites: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA { 0xC0,0x13 }         Cipher: 49171 (0xC013)      - TLSCipherSuites: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA { 0xC0,0x14 }         Cipher: 49172 (0xC014)      - TLSCipherSuites: TLS_DHE_DSS_WITH_AES_128_CBC_SHA { 0x00, 0x32 }         Cipher: 50 (0x32)      - TLSCipherSuites: TLS_DHE_DSS_WITH_AES_256_CBC_SHA { 0x00, 0x38 }         Cipher: 56 (0x38)      - TLSCipherSuites: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA { 0x00,0x13 }         Cipher: 19 (0x13)      - TLSCipherSuites: TLS_RSA_WITH_RC4_128_MD5 { 0x00,0x04 }         Cipher: 4 (0x4)        CompressionMethodsLength: 1 (0x1)        CompressionMethods: 0 (0x0)

 

b. IIS server then selects the first one from the TLSCipherSuites list that it can match.

You can check the list on IIS registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders

- TLS: TLS Rec Layer-1 HandShake: Server Hello. Certificate. Server Hello Done.   - TlsRecordLayer: TLS Rec Layer-1 HandShake:      ContentType: HandShake:    - Version: TLS 1.0       Major: 3 (0x3)       Minor: 1 (0x1)      Length: 781 (0x30D)    - SSLHandshake: SSL HandShake Server Hello Done(0x0E)       HandShakeType: ServerHello(0x02)       Length: 77 (0x4D)     - ServerHello: 0x1      - Version: TLS 1.0         Major: 3 (0x3)         Minor: 1 (0x1)      - RandomBytes:         TimeStamp: 10/22/2010, 08:01:24 .0000 UTC         RandomBytes: Binary Large Object (28 Bytes)        SessionIDLength: 32 (0x20)        SessionID: Binary Large Object (32 Bytes)        TLSCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA { 0x00, 0x2F }        CompressionMethods: 0 (0x0)        ExtensionsLength: 5 (0x5)

 

Following Xin’s article, IIS 6 starts to support AES 256 and will choose TLS_RSA_WITH_AES_256_CBC_SHA.

 

You can browse the same web site from IE 6 on Windows XP, you will find the cipher suite list in SSL HandShake ClientHello sending to IIS server different from above. Then, IIS selects TLS_RSA_WITH_RC4_128_SHA instead of AES usually.

Here, I would like to give one more scenario about Internet Explorer security setting that you may concern when use AES.

IE won’t send TLS 1.0 initial ciphers in ClientHello header if disable TLS in IE Internet Options\Advanced\Security.

IE with SSL 3.0 enabled and TLS 1.0 disabled which sends cipher suits list as below. There is no AES in the SSLCipherSuites list. All initial with SSL.

- ClientHello: SSL 3.0      + Version: SSL 3.0      + RandomBytes:        SessionIDLength: 32 (0x20)        SessionID: Binary Large Object (32 Bytes)        CipherSuitesLength: 10      + SSLCipherSuites: SSL_RSA_WITH_RC4_128_SHA { 0x00,0x05 }      + SSLCipherSuites: SSL_RSA_WITH_3DES_EDE_CBC_SHA { 0x00,0x0A }      + SSLCipherSuites: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA { 0x00,0x13 }      + SSLCipherSuites: SSL_RSA_WITH_RC4_128_MD5 { 0x00,0x04 }      + SSLCipherSuites: Unknown Cipher        CompressionMethodsLength: 1 (0x1)        CompressionMethods: 0 (0x0)

Then IIS server will select the first match one based on its cipher list order.

By default, SSL 3.0 and TLS 1.0 are enabled in Internet Explorer 7.

Firefox has different behavior with SSL 3.0 enabled and TLS 1.0 disabled. Here is sample after disabling TLS 1.0 in Firefox. It still gives AES items in the SSLCipherSuites list:

- ClientHello: SSL 3.0      + Version: SSL 3.0      + RandomBytes:        SessionIDLength: 0 (0x0)        CipherSuitesLength: 40      + SSLCipherSuites: Unknown Cipher      + SSLCipherSuites: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA { 0x00, 0x88 }      + SSLCipherSuites: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA { 0x00, 0x87 }      + SSLCipherSuites: TLS_DHE_DSS_WITH_AES_256_CBC_SHA { 0x00, 0x38 }      + SSLCipherSuites: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA { 0x00, 0x84 }      + SSLCipherSuites: TLS_RSA_WITH_AES_256_CBC_SHA { 0x00, 0x35 }      + SSLCipherSuites: TLS_DHE_RSA_WITH_AES_256_CBC_SHA { 0x00, 0x39 }      + SSLCipherSuites: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA { 0x00, 0x45 }      + SSLCipherSuites: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA { 0x00, 0x44 }      + SSLCipherSuites: TLS_DHE_RSA_WITH_AES_128_CBC_SHA { 0x00, 0x33 }      + SSLCipherSuites: TLS_DHE_DSS_WITH_AES_128_CBC_SHA { 0x00, 0x32 }      + SSLCipherSuites: TLS_RSA_WITH_SEED_CBC_SHA { 0x00, 0x96 }      + SSLCipherSuites: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA { 0x00, 0x41 }      + SSLCipherSuites: SSL_RSA_WITH_RC4_128_MD5 { 0x00,0x04 }      + SSLCipherSuites: SSL_RSA_WITH_RC4_128_SHA { 0x00,0x05 }      + SSLCipherSuites: TLS_RSA_WITH_AES_128_CBC_SHA { 0x00, 0x2F }      + SSLCipherSuites: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA { 0x00,0x16 }      + SSLCipherSuites: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA { 0x00,0x13 }      + SSLCipherSuites: Reserved to avoid conflicts with widely deployed implementations      + SSLCipherSuites: SSL_RSA_WITH_3DES_EDE_CBC_SHA { 0x00,0x0A }        CompressionMethodsLength: 1 (0x1)        CompressionMethods: 0 (0x0)

 

Based on test, if the server side is IIS, it will select SSL_* initial cipher suites from its SSLCipherSuites list since the ClientHello only gives SSL. It is possible for other web servers actually still picks up AES because the AES is in the SSLCipherSuites list. It depends on Server behavior.

Enjoy!

Anik