Is there a plan to support TLS 1.3 with SChannel on Windows? I have tried just enabling the TLS 1.3 in the curl sources and run it on Windows Server 2022 evaluation and Windows 11 Enterprise evaluation versions. Both failed with errors telling no cipher could be found that matches the client and server requirements. I tested against www.google.com setting the minimum and maximum TLS versions both to 1.3 -- I then looked for reasons in the web, and found articles stating that the SCHANNEL_CRED is deprecated and SCH_CREDENTIALS structure should be used instead of the deprecated SCHANNEL_CRED. Simply doing a replacement of s/SCHANNEL_CRED/SCH_CREDENTIALS/g is not good.
Here is my findings: https://docs.microsoft.com/en-us/answers/questions/708734/tls-13-doesn39t-work-on-windows-11-through-schanne.html Looks like the curl schannel.c has to be patched to use different type in order for the Windows 11 to support TLS 1.3 in schannel. "In order to use TLS 1.3 with schannel, you should use the SCH_CREDENTIALS structure instead of the SCHANNEL_CRED structure with AcquireCredentialsHandle(). SCH_CREDENTIALS - Win32 apps | Microsoft Docs - SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_3_CLIENT; The SCHANNEL_CRED structure has been deprecated. Starting with Windows 10, 1809 (October 2018 Update), you should use SCH_CREDENTIALS. and you’ll notice that you can not specify protocol versions with SCH_CREDENTIALS. Beacause you have configured Windows 11 correctly, schannel will use the latest version of TLS so 1.3 will be used. Thank you." I downloaded evaluation version of Windows 11 Enterprise from https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/ and just enabling TLS 1.3 on curl sources was not enough. It'll be probably a bigger change curl maintainers have to do to change from SCHANNEL_CRED to SCH_CREDENTIALS struct type. When I tried to enable TLS 1.3 in curl with SChannel by modifying the lib\vtls\schannel.c file: diff --git a/3rdparty/curl/7.83.1/lib/vtls/schannel.c b/3rdparty/curl/7.83.1/lib/vtls/schannel.c index 3d2f010753..31b7127712 100644 --- a/3rdparty/curl/7.83.1/lib/vtls/schannel.c +++ b/3rdparty/curl/7.83.1/lib/vtls/schannel.c @@ -196,8 +196,10 @@ set_ssl_version_min_max(SCHANNEL_CRED *schannel_cred, struct Curl_easy *data, schannel_cred->grbitEnabledProtocols |= SP_PROT_TLS1_2_CLIENT; break; case CURL_SSLVERSION_TLSv1_3: - failf(data, "schannel: TLS 1.3 is not yet supported"); - return CURLE_SSL_CONNECT_ERROR; + schannel_cred->grbitEnabledProtocols |= SP_PROT_TLS1_3_CLIENT; + break; + //failf(data, "schannel: TLS 1.3 is not yet supported"); + //return CURLE_SSL_CONNECT_ERROR; } } return CURLE_OK; Then build the win32 release curl executable, and ran that on both my Windows 10 and Windows Server 2022 preview, I get errors: On the Windows 10 Professional the error looks like this: C:\src\WAVE\3rdparty\curl\7.83.1\win32\release>curl --tls-max 1.3 --tlsv1.3 https://www.google.com curl: (56) Failure when receiving data from the peer On the Windows Server 2022 preview the error looks like this: C:\tools\curl-tls1.3>curl --tls-max 1.3 --tlsv1.3 https://www.google.com curl: (35) schannel: AcquireCredentialsHandle failed: SEC_E_ALGORITHM_MISMATCH (0x80090331) - The client and server cannot communicate, because they do not possess a common algorithm. https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- Tuomas Kaikkonen Principal Software Engineer, WAVE Core, Motorola Solutions 3131 Elliott Ave, Suite 200, Seattle, WA 98121 phone: (425) 919-8973 -- *For more information on how and why we collect your personal information, please visit our Privacy Policy <https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement>.*
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
