1

I'm working on a TLS client that needs to be upgraded to use TLS 1.3 on Windows-11. Has anyone successfully implemented TLS 1.3 using SChannel APIs?

As per Microsoft below link TLS 1.3 is supported in win-11 & server-2022

https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-

below code snip added for TLS1.3 :

#define SECURITY_PROTOCOL_TLSV13 0x00
securityInfo->bySecurityProtocol = SECURITY_PROTOCOL_TLSV13;
sChannelCred->grbitEnabledProtocols =SP_PROT_TLS1_3_CLIENT;

status = pMyFunTab->**AcquireCredentialsHandleA**(NULL, UNISP_NAME_A, SECPKG_CRED_OUTBOUND, NULL, &sChannelCred, NULL, NULL, phCred, &ts);

Return status = SEC_E_ALGORITHM_MISMATCH(0x80090331)

**error details: Secure connection failed. An error occurred while trying to connect to the host, error code 0x80090331. The client and server cannot communicate, because they do not possess a common algorithm.**

api link :

https://learn.microsoft.com/en-us/windows/win32/api/sspi/nf-sspi-acquirecredentialshandlea https://github.com/MicrosoftDocs/win32/blob/docs/desktop-src/SecAuthN/acquirecredentialshandle--schannel.md

Tried the below change to fix the same:

Windows version tested with: windows 11 21h2 os build 22000.434

Registry Change: as suggested below link: how to enable TLS 1.3 in windows 10

Any suggestion or a small sample of C++ code snipped is well appreciated, as well as any advice which may help me to understand what is wrong with the client.

FYI: I am not using CURL LIB.

Thank you

Regards: Ajay Jaiswal

ajay kumar Jaiswal
  • 19
  • 1
  • 3
  • 1
    a [mre] would help – Alan Birtles Jan 19 '22 at 08:37
  • please try to focus the question on one specific issue. Asking if someone else has used it as well as asking for example code is offtopic. If you show your code it will be easier to help – 463035818_is_not_an_ai Jan 19 '22 at 08:58
  • Do you control both ends of the connection? What makes complete sense is that the receiving end doesn't support the correct version, and so the error you get, is just what it says it is – Tiger4Hire Jan 19 '22 at 10:02

3 Answers3

1

Gilles, did you try latest curl 7.81.0 on Win10 or Win11 with schannel as SSL backend? The following is what I saw.

curl -vI --tls-max 1.3 https://www.google.com
*   Trying 142.251.35.164:443...
* Connected to www.google.com (142.251.35.164) port 443 (#0)
* schannel: disabled automatic use of client certificate
* schannel: TLS 1.3 is not yet supported
* Closing connection 0
curl: (35) schannel: TLS 1.3 is not yet supported
Richard
  • 11
  • 1
1

I ran into same issue in Win11 but the same code below works in Win10. Please note TLS 1.3 has been enabled in the registry of my Win11.

     SCHANNEL_CRED SchannelCred;
     CredHandle hClientCreds;
     TimeStamp tsExpiry;
    
     PSecurityFunctionTable sspi = InitSecurityInterface();
    
     ZeroMemory(&SchannelCred, sizeof(SchannelCred));
     SchannelCred.dwVersion = SCHANNEL_CRED_VERSION;
     SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_3_CLIENT;
     SchannelCred.dwFlags |= SCH_CRED_MANUAL_CRED_VALIDATION | SCH_CRED_NO_DEFAULT_CREDS | SCH_USE_STRONG_CRYPTO;
    
     SECURITY_STATUS Status = sspi->AcquireCredentialsHandle(NULL,
         (SEC_CHAR*)UNISP_NAME_A,
         SECPKG_CRED_OUTBOUND,
         NULL,
         &SchannelCred,
         NULL,
         NULL,
         &hClientCreds,
         &tsExpiry);

Later, found it's required to use SCH_CREDENTIALS structure instead of SCHANNEL_CRED structure for TLS 1.3 in Win11.

Richard
  • 11
  • 2
0

There is a curl pull request with schannel tls 1.3 support

You can take a look at https://github.com/curl/curl/pull/7784

Gilles Olivier Vollant
  • 31
  • 1