TLS 1.3 doesn't work on Windows 11 through SChannel API

Hello,
We have some client code on Win10 that can connect to our host or public host like www.google.com over TLS 1.3 successfully but it doesn't work on Win11. We have enabled TLS 1.3 on this machine by following registry.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
The error we saw is 0x80090331 (The client and server cannot communicate, because they do not possess a common algorithm). It happened when AcquireCredentialsHandle is called. This is the first step to start TLS session so the handshake has not started yet. Please note all cipher suites including TLS 1.3 cipher suites are enabled on this machine. The OS Build of Win11 is 22000.434.
So, is there something I'm missing or does SChannel API on Win11 support TLS 1.3?
Thanks in advance,
Richard
I added this version in my question, that is 22000.434. Thanks.
If you are asking about the server. It doesn't matter because my test program also failed with same error when connect to www.google.com on Win11, but same code works on Win10, as I described.
Have you tried to use TSL1.2 in Windows 11?
Yes, I tried, it works.
I am sure that TLS1.3 is enabled on your win11. I would like to know whether TLS1.3 is also enabled on your server (Although the connection is successful in Win10).
Yes, it is. Like what i pointed, this failure occurred in the very beginning so it has nothing to do with the server. More, I did same tests with www.google.com as the server but got same result.
Perhaps if you can write some code to try on Win11, it could be quickest approach to verify this. Thanks.
By the way, I also noticed that someone complained the same issue in stackoverflow.
It will take some time for me, I am very sorry, because I am using Win10, I read the link you shared, the log is "TLS 1.3 is not yet supported", but according to the official explanation, TLS 1.3 is supported, I will try to find a relevant solution in Win11.
Much appreciated. As for "TLS 1.3 is not yet supported" in that link, please note it suggests the same result on Win10 or Win11 with curl, so it's some problem in curl itself but I just pointed you the initial question in that link which is same as what I asked here.
Here is the code example that works on Win10 but fails on Win11 with error 0x80090331. I also tried some variants, for example, add TLS 1.3 cipher suites only, but none of them can work.
Could tell me how you are initializing the SCHANNEL_CRED structure which is passed to AcquireCredentialsHandle()?
Please see the above code. Thanks.
Sign in to comment
Hello,
Welcome to Microsoft Q&A!
In order to use TLS 1.3 with schannel, you should use the SCH_CREDENTIALS structure instead of the SCHANNEL_CRED structure with AcquireCredentialsHandle().
SCH_CREDENTIALS - Win32 apps | Microsoft Learn
The SCHANNEL_CRED structure has been deprecated. Starting with Windows 10, 1809 (October 2018 Update), you should use SCH_CREDENTIALS. and you’ll notice that you can not specify protocol versions with SCH_CREDENTIALS. Beacause you have configured Windows 11 correctly, schannel will use the latest version of TLS so 1.3 will be used.
Thank you.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Great, yes, it is working with the new structure. By the way, I can specify protocol version with TLS_PARAMETERS. In addition, could you please indicate some link saying SCHANNEL_CRED is deprecated? If there isn't, perhaps MS should add it to avoid confuse and to save time for developers. Thanks a lot!
Thank you for your valuable advice. We will explain this in the documentation of SCHANNEL_CRED.
https://learn.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-sch_credentials#requirements
https://learn.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-schannel_cred#requirements
Sign in to comment
2 additional answers
Sort by: Most helpful
As per Microsoft's article it is enabled in Windows11.
Have you tried this?
how to enable TLS 1.3 in windows 10
Check your Registry settings.
Of course, I did. I think my question has described very clearly.
Sign in to comment
Hi @Richard
TLS 1.3 is now enabled by default on Windows 11 as stated by Microsoft. Cipher suites can only be negotiated for TLS versions that support them. The highest supported TLS version is always preferred in the TLS handshake.
Availability of cipher suites should be controlled in one of two ways:
-The default priority order is overridden when a priority list is configured. Cipher suites not in the priority list will not be used.
-Allowed when the application passes SCH_USE_STRONG_CRYPTO: The Microsoft Schannel provider will filter out known weak cipher suites when the application uses the SCH_USE_STRONG_CRYPTO flag. RC4, DES, export, and null cipher suites are filtered out.
TLS Cipher Suites in Windows 11
https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-11
Hope this resolves your Query!!
-----------
--If the reply is helpful, please Upvote and Accept it as an answer--
Hi,
I saw this article and tried, but I wasn't able to get this work on Win11. In fact, this link isn't different from another link for Win10 except TLS 1.3 cipher suites, but we all know that Win10 also supports TLS 1.3. Particularly, like I described, the same code works on Win10 but doesn't on Win11, this is why I'm confused, I thought Windows 11 should be backward-compatible in this aspect. See my code above.
So, appreciate if you can send some code piece on Win11 where AcquireCredentialsHandle can succeed with grbitEnabledProtocols member being SP_PROT_TLS1_3_CLIENT only.
Thanks.,
Richard
Sign in to comment
Activity