Does CipherSuitesPolicy always throw PlatformNotSupportedException on Windows?

ni 0 Reputation points

We have a .NET 8 ASP.NET Core application running on Windows Server 2019. The application uses Kestrel with HTTPS configured as follows:

csharp

httpsOptions.OnAuthenticate = (context, sslOptions) =>

After upgrading, the service crashes immediately upon receiving an HTTPS request, with the following error in the logs:

text

System.PlatformNotSupportedException: CipherSuitesPolicy is not supported on this platform.

The official documentation (https://learn.microsoft.com/en-gb/dotnet/api/system.net.security.ciphersuitespolicy) states that CipherSuitesPolicy is marked with [UnsupportedOSPlatform("windows")].

Our questions are:

On Windows (any version, including Windows Server 2019 and Windows Server 2016), will calling new CipherSuitesPolicy() always result in a PlatformNotSupportedException? Or are there any scenarios where it might succeed?

If our test environment does not reproduce this error, could it simply be that no HTTPS request has reached the OnAuthenticate callback, so the problematic code was never executed?

We would like to confirm this definitively so we can explain to our security testing team that the code change (removing this API call on Windows) is the correct and necessary fix.

Thank you.

0 comments No comments
Sign in to comment

2 answers

  1. ni 0 Reputation points

    httpsOptions.OnAuthenticate = (context, sslOptions) =>

    {

    sslOptions.CipherSuitesPolicy = new CipherSuitesPolicy(new[]

{

 TlsCipherSuite.TLS_AES_128_GCM_SHA256,

 TlsCipherSuite.TLS_AES_256_GCM_SHA384,

 TlsCipherSuite.TLS_CHACHA20_POLY1305_SHA256,

 TlsCipherSuite.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,

 TlsCipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,

 TlsCipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,

 TlsCipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,

});

    };

    0 comments No comments
    Sign in to comment

  2. AI answer

    CipherSuitesPolicy is explicitly marked as unsupported on Windows and Android:

    [UnsupportedOSPlatform("android")]
[UnsupportedOSPlatform("windows")]
public sealed class CipherSuitesPolicy

    This means:

    1. On Windows, CipherSuitesPolicy is not supported. The type is annotated as unsupported for all Windows platforms. On such platforms, using APIs that rely on this policy will result in PlatformNotSupportedException. There is no supported scenario on Windows (including Windows Server 2016/2019) where configuring TLS with CipherSuitesPolicy is expected to succeed.
    2. The exception is thrown when the unsupported functionality is actually used. In the Kestrel case, the failure appears when an HTTPS request arrives and the OnAuthenticate callback runs, because that is when the TLS options (including CipherSuitesPolicy) are applied. If the test environment never receives an HTTPS request, the callback is not invoked and the exception is not triggered, even though the code path is present.

    Therefore:

    • On Windows, keeping the CipherSuitesPolicy configuration in httpsOptions.OnAuthenticate is not valid and will cause PlatformNotSupportedException once the callback executes.
    • Removing or conditionally excluding this configuration on Windows is the correct and necessary fix to avoid runtime crashes.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.
Sign in to answer

Your answer