TLS 1.3 doesn't work on Windows 11 through SChannel API

Richard 21

Hello,

We have some client code on Win10 that can connect to our host or public host like www.google.com over TLS 1.3 successfully but it doesn't work on Win11. We have enabled TLS 1.3 on this machine by following registry.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001

The error we saw is 0x80090331 (The client and server cannot communicate, because they do not possess a common algorithm). It happened when AcquireCredentialsHandle is called. This is the first step to start TLS session so the handshake has not started yet. Please note all cipher suites including TLS 1.3 cipher suites are enabled on this machine. The OS Build of Win11 is 22000.434.

So, is there something I'm missing or does SChannel API on Win11 support TLS 1.3?

Thanks in advance,

Richard

Junjie Zhu - MSFT 14,751 Reputation points Microsoft Vendor

2022-01-25T09:06:11.317+00:00

According to the official document, Win11 supports TLS1.3, Could you tell me your host system version?
Richard 21 Reputation points

2022-01-25T09:14:15.653+00:00

I added this version in my question, that is 22000.434. Thanks.
Richard 21 Reputation points

2022-01-25T09:16:02.07+00:00

If you are asking about the server. It doesn't matter because my test program also failed with same error when connect to www.google.com on Win11, but same code works on Win10, as I described.
Junjie Zhu - MSFT 14,751 Reputation points Microsoft Vendor

2022-01-25T09:31:18.613+00:00

Have you tried to use TSL1.2 in Windows 11?
Richard 21 Reputation points

2022-01-25T09:32:32.87+00:00

Yes, I tried, it works.
Junjie Zhu - MSFT 14,751 Reputation points Microsoft Vendor

2022-01-25T09:42:34.697+00:00

I am sure that TLS1.3 is enabled on your win11. I would like to know whether TLS1.3 is also enabled on your server (Although the connection is successful in Win10).
Richard 21 Reputation points

2022-01-25T09:48:08.867+00:00

Yes, it is. Like what i pointed, this failure occurred in the very beginning so it has nothing to do with the server. More, I did same tests with www.google.com as the server but got same result.
Richard 21 Reputation points

2022-01-25T09:51:36.787+00:00

Perhaps if you can write some code to try on Win11, it could be quickest approach to verify this. Thanks.
Richard 21 Reputation points

2022-01-25T09:55:44.34+00:00

By the way, I also noticed that someone complained the same issue in stackoverflow.
Junjie Zhu - MSFT 14,751 Reputation points Microsoft Vendor

2022-01-25T10:08:36.03+00:00

It will take some time for me, I am very sorry, because I am using Win10, I read the link you shared, the log is "TLS 1.3 is not yet supported", but according to the official explanation, TLS 1.3 is supported, I will try to find a relevant solution in Win11.
Richard 21 Reputation points

2022-01-26T00:37:23.667+00:00

Much appreciated. As for "TLS 1.3 is not yet supported" in that link, please note it suggests the same result on Win10 or Win11 with curl, so it's some problem in curl itself but I just pointed you the initial question in that link which is same as what I asked here.

Richard 21

Here is the code example that works on Win10 but fails on Win11 with error 0x80090331. I also tried some variants, for example, add TLS 1.3 cipher suites only, but none of them can work.

    SCHANNEL_CRED SchannelCred;
    CredHandle hClientCreds;
    TimeStamp tsExpiry;

    PSecurityFunctionTable sspi = InitSecurityInterface();

    ZeroMemory(&SchannelCred, sizeof(SchannelCred));
    SchannelCred.dwVersion = SCHANNEL_CRED_VERSION;
    SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_3_CLIENT;
    SchannelCred.dwFlags |= SCH_CRED_MANUAL_CRED_VALIDATION | SCH_CRED_NO_DEFAULT_CREDS | SCH_USE_STRONG_CRYPTO;

    SECURITY_STATUS Status = sspi->AcquireCredentialsHandle(NULL,
        (SEC_CHAR*)UNISP_NAME_A,
        SECPKG_CRED_OUTBOUND,
        NULL,
        &SchannelCred,
        NULL,
        NULL,
        &hClientCreds,
        &tsExpiry);

Junjie Zhu - MSFT 14,751 Reputation points Microsoft Vendor

2022-01-27T02:02:38.36+00:00

Could tell me how you are initializing the SCHANNEL_CRED structure which is passed to AcquireCredentialsHandle()?
Richard 21 Reputation points

2022-01-27T02:13:58.977+00:00

Please see the above code. Thanks.

Accepted answer

Junjie Zhu - MSFT 14,751 Reputation points Microsoft Vendor

2022-02-01T02:32:05.077+00:00
Hello,
Welcome to Microsoft Q&A!

In order to use TLS 1.3 with schannel, you should use the SCH_CREDENTIALS structure instead of the SCHANNEL_CRED structure with AcquireCredentialsHandle().
SCH_CREDENTIALS - Win32 apps | Microsoft Learn

SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_3_CLIENT;

The SCHANNEL_CRED structure has been deprecated. Starting with Windows 10, 1809 (October 2018 Update), you should use SCH_CREDENTIALS. and you’ll notice that you can not specify protocol versions with SCH_CREDENTIALS. Beacause you have configured Windows 11 correctly, schannel will use the latest version of TLS so 1.3 will be used.

Thank you.

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Please sign in to rate this answer.

1 person found this answer helpful.
Richard 21 Reputation points

2022-02-03T02:30:59.29+00:00

Great, yes, it is working with the new structure. By the way, I can specify protocol version with TLS_PARAMETERS. In addition, could you please indicate some link saying SCHANNEL_CRED is deprecated? If there isn't, perhaps MS should add it to avoid confuse and to save time for developers. Thanks a lot!

Junjie Zhu - MSFT 14,751 Reputation points Microsoft Vendor

2022-02-03T02:35:39.1+00:00

Thank you for your valuable advice. We will explain this in the documentation of SCHANNEL_CRED.
https://learn.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-sch_credentials#requirements
https://learn.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-schannel_cred#requirements
Sign in to comment

2 additional answers

S.Sengupta 15,111 Reputation points MVP

2022-01-26T01:44:25.59+00:00

As per Microsoft's article it is enabled in Windows11.

Have you tried this?

how to enable TLS 1.3 in windows 10

Check your Registry settings.
Please sign in to rate this answer.
Richard 21 Reputation points

2022-01-26T01:47:15.27+00:00

Of course, I did. I think my question has described very clearly.
Sign in to comment
Limitless Technology 39,351 Reputation points

2022-01-26T18:20:31.76+00:00

Hi @Richard

TLS 1.3 is now enabled by default on Windows 11 as stated by Microsoft. Cipher suites can only be negotiated for TLS versions that support them. The highest supported TLS version is always preferred in the TLS handshake.

Availability of cipher suites should be controlled in one of two ways:

-The default priority order is overridden when a priority list is configured. Cipher suites not in the priority list will not be used.
-Allowed when the application passes SCH_USE_STRONG_CRYPTO: The Microsoft Schannel provider will filter out known weak cipher suites when the application uses the SCH_USE_STRONG_CRYPTO flag. RC4, DES, export, and null cipher suites are filtered out.

TLS Cipher Suites in Windows 11
https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-11

Hope this resolves your Query!!

-----------

--If the reply is helpful, please Upvote and Accept it as an answer--
Please sign in to rate this answer.
Richard 21 Reputation points

2022-01-27T01:13:39.4+00:00

Hi,

I saw this article and tried, but I wasn't able to get this work on Win11. In fact, this link isn't different from another link for Win10 except TLS 1.3 cipher suites, but we all know that Win10 also supports TLS 1.3. Particularly, like I described, the same code works on Win10 but doesn't on Win11, this is why I'm confused, I thought Windows 11 should be backward-compatible in this aspect. See my code above.
So, appreciate if you can send some code piece on Win11 where AcquireCredentialsHandle can succeed with grbitEnabledProtocols member being SP_PROT_TLS1_3_CLIENT only.

Thanks.,
Richard
Sign in to comment