how to enable TLS 1.3 in windows 10
Asked
Active
Viewed 3.4k times
9
-
1Have a look here : https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings how to enable it – Jayoti Parkash May 10 '19 at 07:23
-
@JayotiParkash nope, that link is not updated with TLS 1.3, latest TLS there is 1.2 – Cleptus May 10 '19 at 07:32
-
@bradbury9 I need TLS 1.3 – JohnMathew May 10 '19 at 07:35
-
1Microsoft has not yet implemented it in Windows, so you should check third party implementations https://social.technet.microsoft.com/Forums/en-US/d0a39a83-7dcb-4a67-9a62-5120fda04210/how-to-enable-tls-13?forum=winserver8gen – Cleptus May 10 '19 at 07:38
-
looking for TLS1.3 in windows server 2012 – JohnMathew May 10 '19 at 08:17
2 Answers
25
Native SChannel implementation on Windows 10 and Windows 10 Server version 1903 (May 2019 Update) and newer supports TLS 1.3.
This is how you can enable it using registry for the client:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
This is how you can enable it using registry for the server:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
Bear in mind that this will have no effect on any versions of Windows prior to 1903.
silkfire
- 24,585
- 15
- 82
- 105
Igor Levicki
- 1,017
- 10
- 17
-
2Note that this might cause connections to fail (at least for me) because SChannel does not indicate support for `rsa_pss_rsae_`* signatures in the `signature_algorithms` extension, causing the server to reply with `handshake_failure`. This is might be a bug but I'm not sure. It might also be a configuration error on my side, let me know if your PC does indicate support. – SWdV May 12 '20 at 22:43
-
1Note the [Microsoft TLS 1.3 Support Reference](https://devblogs.microsoft.com/premier-developer/microsoft-tls-1-3-support-reference/) says “TLS 1.3 is also supported on Windows 1903 as of release of this article for testing purposes only, not production environment.” – csrowell Jul 06 '20 at 15:20
-
2According to https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-#tls-protocol-version-support, there is no TLS 1.3 support yet. Maybe with some "Insider-Preview" but not by default. – k1ll3r8e Jun 17 '21 at 04:50
-
1For those looking to enable TLS 1.3 for with .NET 5+ on localhost, use the **server** registry key (your development environment acts as the server). – silkfire Jun 30 '21 at 00:36
-
1I tried this, and now I get this error: `The Local Security Authority cannot be contacted` - anyone know how to fix this? – Zeus82 Jan 08 '22 at 15:39
-
@Zeus82 If you cannot boot or login into your OS and you have no system restore points prior to the change, then you will have to attach your OS drive to another Windows PC, load the registry hive from `X:\Windows\System32\Config\SYSTEM` file (where `X` is the drive letter of your attached OS drive), undo the change, then unload the hive. You might also be able to undo the change by booting from install ISO into recovery mode and using command prompt. How to accomplish that is out of scope -- before making any registry changes you should know there can be consequences and know how to recover. – Igor Levicki Feb 01 '22 at 13:18