none
Is SChannel supported TLS 1.3 for development? RRS feed

  • Question

  • Is SChannel support TLS 1.3 officially?
    As per the windows sdk 10.0.17763.0 include  file SChannel.h defined SP_PROT_TLS1_3_CLIENT 0x00002000.
    But https://docs.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-schannel_cred#see-also grbitEnabledProtocols not mentioned about TLS1.3. I was unable to find any other internet information to document that SChannel support TLS1.3.
    Monday, November 25, 2019 12:48 PM

All replies

  • Hi,

    Welcome to the MSDN forum.

    I haven't find any information that SChannel supports TLS 1.3 officially. You've asked in this case, and there is a link about the newest released standard TLS 1.3

    Here is the discussion about TLS1.3: https://techcommunity.microsoft.com/t5/Discussions/TLS-1-3/m-p/410501

    But you might want to keep track of the following official Microsoft documentation for any changes in the support:
    https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-

    You can also reach out to the experts in the dedicated IIS forums over here:
    https://forums.iis.net

    Best regards,

    Jeffrey


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, November 26, 2019 5:59 AM
  • Thank you for the reply.

    Do you have any idea when SChannel support TLS 1.3 for development?

    Tuesday, November 26, 2019 7:23 AM
  • Hi,
    Please keep track of the following official Microsoft documentation for Windows Update about new feature .

    Best regards,

    Jeffrey


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, December 10, 2019 2:53 AM
  • Quite late on this, but I hope to be of help

    At least starting from Windows 10 1903 (and the corresponding server platform) the schannel support is "experimentally" built into the crypto libraries (schannel as well), the problem is that, it doesn't suffice to just alter the registry settings under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols" to add the TLS1.3 subkey and then the "Client" and "Server" ones and, under them the "DisabledByDefault" and "Enabled" flags, since doing so will just enable the protocol support but won't enable the related ciphers, in fact, if you look under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002" you'll notice that there's no TLS1.3 cipher in there, so basically creating the entry under the schannel key would just cause a number of issues; my guess is that Microsoft already shipped the TLS1.3 functions inside the (released, updated) crypto libraries but they didn't add the needed registry keys to fully enable that functionality.

    If you want to try enabling it, you may try tweaking the registry entries (see above), possibly on a "test" machine and run some tests to see if you can find the right combo to enable TLS1.3, although, porting the changes to a production machine may then be risky business, even if the headers shipped with MS VC already carry a number of TLS1.3 related definitions like, for example the one you reported


    • Edited by ObiWan Wednesday, January 22, 2020 4:06 PM
    Wednesday, January 22, 2020 4:05 PM
  • just in case, the "base" keys and values are the following ones

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
    "DisabledByDefault"=dword:00000000 
    "Enabled"=dword:ffffffff
    
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server]
    "DisabledByDefault"=dword:00000000 
    "Enabled"=dword:ffffffff

    but then, the above won't suffice and would just cause issues since they will enable the TLS1.3 but then, there won't be any ciphers to be negotiated/offered (see the "...\Local\SSL" key in my previous post)



    • Edited by ObiWan Wednesday, January 22, 2020 4:16 PM
    Wednesday, January 22, 2020 4:16 PM