This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 17%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Hi,
we have a TLS implementation based on SCHANNEL and tried to enable TLSv1.3 a while ago. This worked on Windows 10 (after enabling it via Registry), but a key update request (e.g. from the client side implemented in Java) resulted in a SEC_E_INVALID_TOKEN from DecryptMessage.
Now with Windows 11, TLSv1.3 did not work at all. I learnt that there is a new SCH_CREDENTIALS that needs to be used (available from Window 10 1809). After changing the code to use the new structure SCH_CREDENTIALS, it worked on Windows 11 (I get a SEC_I_RENEGOTIATE from DecryptMessage), but I still get SEC_E_INVALID_TOKEN on Windows 10 in this situation.
Is this a bug in Window 10, or is it supposed to work?
Is there a fix available to get this working in Windows 10 too?
Regards,
Andreas Müller
Hi there,
In order to use TLS 1.3 with schannel, you should use the SCH_CREDENTIALS structure instead of the SCHANNEL_CRED structure with AcquireCredentialsHandle().
SCH_CREDENTIALS - Win32 apps | Microsoft Learn
SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_3_CLIENT;
The SCHANNEL_CRED structure has been deprecated. Starting with Windows 10, 1809 (October 2018 Update), you should use SCH_CREDENTIALS. and you’ll notice that you can not specify protocol versions with SCH_CREDENTIALS. Because you have configured Windows 11 correctly, schannel will use the latest version of TLS so 1.3 will be used.
-----------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer–
As I wrote, I use the new SCH_CREDENTIALS and it works on Windows 11.
When it comes to key update (e.g. triggered by the Java TLS implementation - our client side is implemented in Java), I get the expected SEC_I_RENEGOTIATE retcode on Windows 11 and it works. On Windows 10 21H2, I get SEC_E_INVALID_TOKEN from DecryptMessage and cannot continue to use the connection.