Is TLSv1.3 key update supposed to work on Window 10 21H2?

Andreas Mueller 1 Reputation point


we have a TLS implementation based on SCHANNEL and tried to enable TLSv1.3 a while ago. This worked on Windows 10 (after enabling it via Registry), but a key update request (e.g. from the client side implemented in Java) resulted in a SEC_E_INVALID_TOKEN from DecryptMessage.

Now with Windows 11, TLSv1.3 did not work at all. I learnt that there is a new SCH_CREDENTIALS that needs to be used (available from Window 10 1809). After changing the code to use the new structure SCH_CREDENTIALS, it worked on Windows 11 (I get a SEC_I_RENEGOTIATE from DecryptMessage), but I still get SEC_E_INVALID_TOKEN on Windows 10 in this situation.

Is this a bug in Window 10, or is it supposed to work?
Is there a fix available to get this working in Windows 10 too?

Andreas Müller

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,140 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,304 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 37,351 Reputation points

    Hi there,

    In order to use TLS 1.3 with schannel, you should use the SCH_CREDENTIALS structure instead of the SCHANNEL_CRED structure with AcquireCredentialsHandle().
    SCH_CREDENTIALS - Win32 apps | Microsoft Learn

    SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_3_CLIENT;

    The SCHANNEL_CRED structure has been deprecated. Starting with Windows 10, 1809 (October 2018 Update), you should use SCH_CREDENTIALS. and you’ll notice that you can not specify protocol versions with SCH_CREDENTIALS. Because you have configured Windows 11 correctly, schannel will use the latest version of TLS so 1.3 will be used.


    --If the reply is helpful, please Upvote and Accept it as an answer–