Is TLSv1.3 key update supposed to work on Window 10 21H2?

Andreas Mueller 1 Reputation point
2022-06-16T10:00:42.383+00:00

Hi,

we have a TLS implementation based on SCHANNEL and tried to enable TLSv1.3 a while ago. This worked on Windows 10 (after enabling it via Registry), but a key update request (e.g. from the client side implemented in Java) resulted in a SEC_E_INVALID_TOKEN from DecryptMessage.

Now with Windows 11, TLSv1.3 did not work at all. I learnt that there is a new SCH_CREDENTIALS that needs to be used (available from Window 10 1809). After changing the code to use the new structure SCH_CREDENTIALS, it worked on Windows 11 (I get a SEC_I_RENEGOTIATE from DecryptMessage), but I still get SEC_E_INVALID_TOKEN on Windows 10 in this situation.

Is this a bug in Window 10, or is it supposed to work?
Is there a fix available to get this working in Windows 10 too?

Regards,
Andreas Müller

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,981 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,890 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 39,791 Reputation points
    2022-06-17T13:22:04.727+00:00

    Hi there,

    In order to use TLS 1.3 with schannel, you should use the SCH_CREDENTIALS structure instead of the SCHANNEL_CRED structure with AcquireCredentialsHandle().
    SCH_CREDENTIALS - Win32 apps | Microsoft Learn

    SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_3_CLIENT;

    The SCHANNEL_CRED structure has been deprecated. Starting with Windows 10, 1809 (October 2018 Update), you should use SCH_CREDENTIALS. and you’ll notice that you can not specify protocol versions with SCH_CREDENTIALS. Because you have configured Windows 11 correctly, schannel will use the latest version of TLS so 1.3 will be used.

    https://learn.microsoft.com/en-us/answers/questions/708734/tls-13-doesn39t-work-on-windows-11-through-schanne.html

    https://learn.microsoft.com/en-us/answers/questions/869838/tls-13-support-using-schannel-in-windows-11-withou.html

    -----------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer–


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.