TLS 1.3 doesn't work on Windows 11 through SChannel API

Richard 21 Reputation points
2022-01-25T07:57:35.207+00:00

Hello,

We have some client code on Win10 that can connect to our host or public host like www.google.com over TLS 1.3 successfully but it doesn't work on Win11. We have enabled TLS 1.3 on this machine by following registry.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001

The error we saw is 0x80090331 (The client and server cannot communicate, because they do not possess a common algorithm). It happened when AcquireCredentialsHandle is called. This is the first step to start TLS session so the handshake has not started yet. Please note all cipher suites including TLS 1.3 cipher suites are enabled on this machine. The OS Build of Win11 is 22000.434.

So, is there something I'm missing or does SChannel API on Win11 support TLS 1.3?

Thanks in advance,

Richard

Windows API - Win32
Windows API - Win32
A core set of Windows application programming interfaces (APIs) for desktop and server applications. Previously known as Win32 API.
2,412 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
8,103 questions
{count} votes

Accepted answer
  1. Junjie Zhu - MSFT 14,366 Reputation points Microsoft Vendor
    2022-02-01T02:32:05.077+00:00

    Hello,
    Welcome to Microsoft Q&A!

    In order to use TLS 1.3 with schannel, you should use the SCH_CREDENTIALS structure instead of the SCHANNEL_CRED structure with AcquireCredentialsHandle().
    SCH_CREDENTIALS - Win32 apps | Microsoft Learn

    SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_3_CLIENT;  
    

    The SCHANNEL_CRED structure has been deprecated. Starting with Windows 10, 1809 (October 2018 Update), you should use SCH_CREDENTIALS. and you’ll notice that you can not specify protocol versions with SCH_CREDENTIALS. Beacause you have configured Windows 11 correctly, schannel will use the latest version of TLS so 1.3 will be used.

    Thank you.


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. S.Sengupta 14,811 Reputation points MVP
    2022-01-26T01:44:25.59+00:00

    As per Microsoft's article it is enabled in Windows11.

    Have you tried this?

    how to enable TLS 1.3 in windows 10

    Check your Registry settings.


  2. Limitless Technology 39,336 Reputation points
    2022-01-26T18:20:31.76+00:00

    Hi @Richard

    TLS 1.3 is now enabled by default on Windows 11 as stated by Microsoft. Cipher suites can only be negotiated for TLS versions that support them. The highest supported TLS version is always preferred in the TLS handshake.

    Availability of cipher suites should be controlled in one of two ways:

    -The default priority order is overridden when a priority list is configured. Cipher suites not in the priority list will not be used.
    -Allowed when the application passes SCH_USE_STRONG_CRYPTO: The Microsoft Schannel provider will filter out known weak cipher suites when the application uses the SCH_USE_STRONG_CRYPTO flag. RC4, DES, export, and null cipher suites are filtered out.

    TLS Cipher Suites in Windows 11
    https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-11

    Hope this resolves your Query!!

    -----------

    --If the reply is helpful, please Upvote and Accept it as an answer--