Transport Layer Security Protocol

Schannel supports versions 1.0, 1.1, and 1.2 of the Transport Layer Security (TLS) protocol. This protocol is an industry standard designed to protect the privacy of information communicated over the Internet. TLS assumes that a connection-oriented transport, typically TCP, is in use. The TLS protocol allows client/server applications to detect the following security risks:

  • Message tampering
  • Message interception
  • Message forgery

The full specification of the TLS Protocol is available from the IETF website: https://www.ietf.org/rfc/rfc2246.txt.

Organization of TLS

The following steps are involved in using TLS for client/server communication:

To use TLS for client/server communication

  1. Handshake and cipher suite negotiation
  2. Authentication of parties
  3. Key-related information exchange
  4. Application data exchange

The steps that make up TLS are divided into two protocols that, together, provide connection security:

SSPI with TLS implementations

Because TLS does not have a GSSAPI specification, TLS implementers may not be familiar with the SSPI functions. Applications call the SSPI functions to enumerate available packages, create and work with handles to credentials, create security contexts and ensure message integrity privacy.

To support the SSPI functions used by user mode applications, the functions listed in Functions Implemented by User-mode SSP/APs need to be supported by TLS implementations such as schannel.dll.

For details about the SSPI functions and SSP functions, see Authentication Functions.

TLS Cipher Suites

TLS vs. SSL