Winsock Secure Socket Extensions

The secure socket extensions to Winsock allow a socket application to control the security of their traffic over a network. These extensions allow an application to provide security policy and requirements for their network traffic, and query the security settings applied. For example, an application can use these extensions to query the peer security token that can be used to perform application level access checks.

The secure socket extensions are intended to integrate the services provided by IPsec and other security protocols with the Winsock framework. Prior to Windows Vista, on Windows Server 2003 and Windows XP, IPsec has been configured by an administrator via local and domain policies. On Windows Vista, the secure socket extensions instead allow applications to entirely or partially configure and control the security of their network traffic at the socket level.

Applications can already secure network traffic by using public APIs, such as IPsec management, Windows Filtering Platform and Security Support Provider Interface (SSPI). However, using these APIs may make the application more difficult to develop, and may make it more difficult to configure and deploy. The Winsock secure socket extensions have been designed to simplify the development of network applications that require secure network traffic by letting Winsock handle most of the complexity.

These secure socket extensions are available on Windows Vista and later.

Secure Socket Functions

The secure socket extension functions are as follows:


The secure socket functions currently support only the IPsec protocol and are available on Windows Vista and later.


The structures and enumerations used by the secure socket functions are as follows:

The secure socket functions are simple to use for normal applications and are flexible enough for applications that need a high degree of control over their security. These functions make it possible to keep the underlying security mechanism hidden from the application. An application can specify generic security requirements and let the administrator control the security protocol that is used to support the requirements. While it is possible to extend these functions to add other security protocols, currently only IPsec integrates with the secure socket functions.

The WSASetSocketSecurity function allows an application to enable security and apply security settings before a connection is established.

The WSASetSocketPeerTargetName function allows an application to specify the target name corresponding to a peer entity. The selected security protocol will use this information when authenticating the peer. This feature addresses concerns about trusted man-in-the-middle attacks.

The WSADeleteSocketPeerTargetName function is used to delete a previously specified peer name for a socket.

After a connection is established, the WSAQuerySocketSecurity function allows an application to query the security properties of the connection, which can include the peer access or computer access token.

After a connection is established, the WSAImpersonateSocketPeer function allows an application to impersonate the security principal corresponding to a socket peer in order to perform application-level authorization.

The WSARevertImpersonation allows an application to terminate the impersonation of a socket peer.

Secure Socket Architecture

basic architecture of the winsock secure socket extensions

About Windows Filtering Platform

Advanced Winsock Samples Using Secure Socket Extensions

Application Layer Enforcement (ALE)

IPsec Configuration

IPsec Functions

Secure Winsock Programming

Security Support Provider Interface (SSPI)

Using Secure Socket Extensions

Windows Filtering Platform

Windows Filtering Platform API Functions