Has anyone tried using TLS 1.3 using SChannel with Windows-11 21h2?

Question

I'm working on a TLS client that needs to be upgraded to use TLS 1.3 on Windows-11. Has anyone successfully implemented TLS 1.3 using SChannel APIs?

As per Microsoft below link TLS 1.3 is supported in win-11 & server-2022

https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-

below code snip added for TLS1.3 :

#define SECURITY_PROTOCOL_TLSV13 0x00
securityInfo->bySecurityProtocol = SECURITY_PROTOCOL_TLSV13;
sChannelCred->grbitEnabledProtocols =SP_PROT_TLS1_3_CLIENT;

status = pMyFunTab->**AcquireCredentialsHandleA**(NULL, UNISP_NAME_A, SECPKG_CRED_OUTBOUND, NULL, &sChannelCred, NULL, NULL, phCred, &ts);

Return status = SEC_E_ALGORITHM_MISMATCH(0x80090331)

**error details: Secure connection failed. An error occurred while trying to connect to the host, error code 0x80090331. The client and server cannot communicate, because they do not possess a common algorithm.**

api link :

https://learn.microsoft.com/en-us/windows/win32/api/sspi/nf-sspi-acquirecredentialshandlea https://github.com/MicrosoftDocs/win32/blob/docs/desktop-src/SecAuthN/acquirecredentialshandle--schannel.md

---

Tried the below change to fix the same:

Windows version tested with: windows 11 21h2 os build 22000.434

Registry Change: as suggested below link: how to enable TLS 1.3 in windows 10

Any suggestion or a small sample of C++ code snipped is well appreciated, as well as any advice which may help me to understand what is wrong with the client.

FYI: I am not using CURL LIB.

Thank you

Regards: Ajay Jaiswal

Answer 1

I ran into same issue in Win11 but the same code below works in Win10. Please note TLS 1.3 has been enabled in the registry of my Win11.

     SCHANNEL_CRED SchannelCred;
     CredHandle hClientCreds;
     TimeStamp tsExpiry;
    
     PSecurityFunctionTable sspi = InitSecurityInterface();
    
     ZeroMemory(&SchannelCred, sizeof(SchannelCred));
     SchannelCred.dwVersion = SCHANNEL_CRED_VERSION;
     SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_3_CLIENT;
     SchannelCred.dwFlags |= SCH_CRED_MANUAL_CRED_VALIDATION | SCH_CRED_NO_DEFAULT_CREDS | SCH_USE_STRONG_CRYPTO;
    
     SECURITY_STATUS Status = sspi->AcquireCredentialsHandle(NULL,
         (SEC_CHAR*)UNISP_NAME_A,
         SECPKG_CRED_OUTBOUND,
         NULL,
         &SchannelCred,
         NULL,
         NULL,
         &hClientCreds,
         &tsExpiry);

Later, found it's required to use SCH_CREDENTIALS structure instead of SCHANNEL_CRED structure for TLS 1.3 in Win11.

Answer 2

Gilles, did you try latest curl 7.81.0 on Win10 or Win11 with schannel as SSL backend? The following is what I saw.

curl -vI --tls-max 1.3 https://www.google.com
*   Trying 142.251.35.164:443...
* Connected to www.google.com (142.251.35.164) port 443 (#0)
* schannel: disabled automatic use of client certificate
* schannel: TLS 1.3 is not yet supported
* Closing connection 0
curl: (35) schannel: TLS 1.3 is not yet supported