locked
IIS 10 TLS 1.3 support RRS feed

  • Question

  • User2006719444 posted

    We currently have a customer is looking to submit orders to us via our standard API but they are requiring us to enable and support TLS 1.3 which currently appears to no be supported in Server 2016/Server 2019.

    Has anyone had success with adding TLS 1.3 in the registry and being able to accept requests? We have asked them to fall back to TLS 1.2 but for them its not an option.

    Saturday, May 30, 2020 1:37 PM

All replies

  • User-2064283741 posted
    TLS 1.3 is not available yet for any version of windows server.
    Sunday, May 31, 2020 12:26 AM
  • User-460007017 posted

    Hi tbuckingham,

    IIS  rely on Schannel. However, no windows server version has supported TLS 1.3 in schannel.

     https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3

    If TLS 1.3 is required, please use OpenSSL library instead. If there is any update with windows server schannel, we will let you know as soon as possible.

    Best Regards,

    Jokies Ding

    Monday, June 1, 2020 7:24 AM
  • User2006719444 posted

    Hi tbuckingham,

    IIS  rely on Schannel. However, no windows server version has supported TLS 1.3 in schannel.

     https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3

    If TLS 1.3 is required, please use OpenSSL library instead. If there is any update with windows server schannel, we will let you know as soon as possible.

    Best Regards,

    Jokies Ding

    So if I generate a request in OpenSSL I can then used the signed certificate I imported into IIS 10 (Server 2019) and enable TLS 1.3 Schannel and ciphers?

    I'm not finding a lot of information around OpenSSL paired with an IIS server.

    Friday, June 12, 2020 2:55 AM
  • User690216013 posted

    So if I generate a request in OpenSSL I can then used the signed certificate I imported into IIS 10 (Server 2019) and enable TLS 1.3 Schannel and ciphers?

    No. That's impossible.

    "Using OpenSSL" means your application has to be fully on OpenSSL (like many open source projects, Apache/nginx/wget and so on) and does not use Windows TLS implementation at all.

    If you have to use any Windows built-in support, then TLS 1.2 is the only feasible option right now.

    Friday, June 12, 2020 6:00 AM
  • User2006719444 posted

    Since we have already developed the application for .NET and IIS services using OpenSSL is currently no an option for us. I noticed that Microsoft lists Server Core 1903 as capable of supporting TLS 1.3 in a non-production environment so I started down this route and have the server running with the IIS 10 role and features.

    I enabled TLS 1.3 server and client SCHANNEL registry keys, imported a certificate, and assigned it (bind) it to the website https address but clients fail to connect.

    The documentation from Microsoft appears to be lacking on implementation.

    Tuesday, June 16, 2020 12:52 PM
  • User690216013 posted

    noticed that Microsoft lists Server Core 1903 as capable of supporting TLS 1.3 in a non-production environment so I started down this route and have the server running with the IIS 10 role and features.

    Don't waste your time on that. Microsoft's TLS 1.3 on that OS is broken and not interoperable with any other TLS 1.3 tooling.

    Wait till they fix that please.

    Tuesday, June 16, 2020 3:59 PM
  • User1967954793 posted

    Any update here?

    Tuesday, September 22, 2020 8:59 PM