Is TLSv1.3 key update supposed to work on Window 10 21H2?

Andreas Mueller 1 Reputation point
2022-06-16T10:00:42.383+00:00

Hi,

we have a TLS implementation based on SCHANNEL and tried to enable TLSv1.3 a while ago. This worked on Windows 10 (after enabling it via Registry), but a key update request (e.g. from the client side implemented in Java) resulted in a SEC_E_INVALID_TOKEN from DecryptMessage.

Now with Windows 11, TLSv1.3 did not work at all. I learnt that there is a new SCH_CREDENTIALS that needs to be used (available from Window 10 1809). After changing the code to use the new structure SCH_CREDENTIALS, it worked on Windows 11 (I get a SEC_I_RENEGOTIATE from DecryptMessage), but I still get SEC_E_INVALID_TOKEN on Windows 10 in this situation.

Is this a bug in Window 10, or is it supposed to work?
Is there a fix available to get this working in Windows 10 too?

Regards,
Andreas Müller

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,140 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,304 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 37,351 Reputation points
    2022-06-17T13:22:04.727+00:00

    Hi there,

    In order to use TLS 1.3 with schannel, you should use the SCH_CREDENTIALS structure instead of the SCHANNEL_CRED structure with AcquireCredentialsHandle().
    SCH_CREDENTIALS - Win32 apps | Microsoft Learn

    SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_3_CLIENT;

    The SCHANNEL_CRED structure has been deprecated. Starting with Windows 10, 1809 (October 2018 Update), you should use SCH_CREDENTIALS. and you’ll notice that you can not specify protocol versions with SCH_CREDENTIALS. Because you have configured Windows 11 correctly, schannel will use the latest version of TLS so 1.3 will be used.

    https://learn.microsoft.com/en-us/answers/questions/708734/tls-13-doesn39t-work-on-windows-11-through-schanne.html

    https://learn.microsoft.com/en-us/answers/questions/869838/tls-13-support-using-schannel-in-windows-11-withou.html

    -----------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer–