Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
TLS 1.3 with schannel
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Tuomas Kaikkonen via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 8 Jun 2022 08:05:56 -0700
Is there a plan to support TLS 1.3 with SChannel on Windows?
I have tried just enabling the TLS 1.3 in the curl sources and run it on
Windows Server 2022 evaluation and Windows 11 Enterprise evaluation
versions. Both failed with errors telling no cipher could be found that
matches the client and server requirements. I tested against www.google.com
setting the minimum and maximum TLS versions both to 1.3 -- I then looked
for reasons in the web, and found articles stating that the SCHANNEL_CRED
is deprecated and SCH_CREDENTIALS structure should be used instead of the
deprecated SCHANNEL_CRED. Simply doing a replacement of
s/SCHANNEL_CRED/SCH_CREDENTIALS/g is not good.
Here is my findings:
https://docs.microsoft.com/en-us/answers/questions/708734/tls-13-doesn39t-work-on-windows-11-through-schanne.html
Looks like the curl schannel.c has to be patched to use different type in
order for the Windows 11 to support TLS 1.3 in schannel. "In order to use
TLS 1.3 with schannel, you should use the SCH_CREDENTIALS structure instead
of the SCHANNEL_CRED structure with AcquireCredentialsHandle().
SCH_CREDENTIALS - Win32 apps | Microsoft Docs
- SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_3_CLIENT;
The SCHANNEL_CRED structure has been deprecated. Starting with Windows 10,
1809 (October 2018 Update), you should use SCH_CREDENTIALS. and you’ll
notice that you can not specify protocol versions with SCH_CREDENTIALS.
Beacause you have configured Windows 11 correctly, schannel will use the
latest version of TLS so 1.3 will be used. Thank you."
I downloaded evaluation version of Windows 11 Enterprise from
https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/
and just enabling TLS 1.3 on curl sources was not enough. It'll be probably
a bigger change curl maintainers have to do to change from SCHANNEL_CRED to
SCH_CREDENTIALS struct type.
When I tried to enable TLS 1.3 in curl with SChannel by modifying the
lib\vtls\schannel.c file:
diff --git a/3rdparty/curl/7.83.1/lib/vtls/schannel.c
b/3rdparty/curl/7.83.1/lib/vtls/schannel.c
index 3d2f010753..31b7127712 100644
--- a/3rdparty/curl/7.83.1/lib/vtls/schannel.c
+++ b/3rdparty/curl/7.83.1/lib/vtls/schannel.c
_at__at_ -196,8 +196,10 _at__at_ set_ssl_version_min_max(SCHANNEL_CRED *schannel_cred,
struct Curl_easy *data,
schannel_cred->grbitEnabledProtocols |= SP_PROT_TLS1_2_CLIENT;
break;
case CURL_SSLVERSION_TLSv1_3:
- failf(data, "schannel: TLS 1.3 is not yet supported");
- return CURLE_SSL_CONNECT_ERROR;
+ schannel_cred->grbitEnabledProtocols |= SP_PROT_TLS1_3_CLIENT;
+ break;
+ //failf(data, "schannel: TLS 1.3 is not yet supported");
+ //return CURLE_SSL_CONNECT_ERROR;
}
}
return CURLE_OK;
Then build the win32 release curl executable, and ran that on both my
Windows 10 and Windows Server 2022 preview, I get errors:
On the Windows 10 Professional the error looks like this:
C:\src\WAVE\3rdparty\curl\7.83.1\win32\release>curl --tls-max 1.3 --tlsv1.3
https://www.google.com
curl: (56) Failure when receiving data from the peer
On the Windows Server 2022 preview the error looks like this:
C:\tools\curl-tls1.3>curl --tls-max 1.3 --tlsv1.3 https://www.google.com
curl: (35) schannel: AcquireCredentialsHandle failed:
SEC_E_ALGORITHM_MISMATCH (0x80090331) - The client and server cannot
communicate, because they do not possess a common algorithm.
https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-
Tuomas Kaikkonen
Principal Software Engineer, WAVE Core, Motorola Solutions
3131 Elliott Ave, Suite 200, Seattle, WA 98121
phone: (425) 919-8973
Date: Wed, 8 Jun 2022 08:05:56 -0700
Is there a plan to support TLS 1.3 with SChannel on Windows?
I have tried just enabling the TLS 1.3 in the curl sources and run it on
Windows Server 2022 evaluation and Windows 11 Enterprise evaluation
versions. Both failed with errors telling no cipher could be found that
matches the client and server requirements. I tested against www.google.com
setting the minimum and maximum TLS versions both to 1.3 -- I then looked
for reasons in the web, and found articles stating that the SCHANNEL_CRED
is deprecated and SCH_CREDENTIALS structure should be used instead of the
deprecated SCHANNEL_CRED. Simply doing a replacement of
s/SCHANNEL_CRED/SCH_CREDENTIALS/g is not good.
Here is my findings:
https://docs.microsoft.com/en-us/answers/questions/708734/tls-13-doesn39t-work-on-windows-11-through-schanne.html
Looks like the curl schannel.c has to be patched to use different type in
order for the Windows 11 to support TLS 1.3 in schannel. "In order to use
TLS 1.3 with schannel, you should use the SCH_CREDENTIALS structure instead
of the SCHANNEL_CRED structure with AcquireCredentialsHandle().
SCH_CREDENTIALS - Win32 apps | Microsoft Docs
- SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_3_CLIENT;
The SCHANNEL_CRED structure has been deprecated. Starting with Windows 10,
1809 (October 2018 Update), you should use SCH_CREDENTIALS. and you’ll
notice that you can not specify protocol versions with SCH_CREDENTIALS.
Beacause you have configured Windows 11 correctly, schannel will use the
latest version of TLS so 1.3 will be used. Thank you."
I downloaded evaluation version of Windows 11 Enterprise from
https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/
and just enabling TLS 1.3 on curl sources was not enough. It'll be probably
a bigger change curl maintainers have to do to change from SCHANNEL_CRED to
SCH_CREDENTIALS struct type.
When I tried to enable TLS 1.3 in curl with SChannel by modifying the
lib\vtls\schannel.c file:
diff --git a/3rdparty/curl/7.83.1/lib/vtls/schannel.c
b/3rdparty/curl/7.83.1/lib/vtls/schannel.c
index 3d2f010753..31b7127712 100644
--- a/3rdparty/curl/7.83.1/lib/vtls/schannel.c
+++ b/3rdparty/curl/7.83.1/lib/vtls/schannel.c
_at__at_ -196,8 +196,10 _at__at_ set_ssl_version_min_max(SCHANNEL_CRED *schannel_cred,
struct Curl_easy *data,
schannel_cred->grbitEnabledProtocols |= SP_PROT_TLS1_2_CLIENT;
break;
case CURL_SSLVERSION_TLSv1_3:
- failf(data, "schannel: TLS 1.3 is not yet supported");
- return CURLE_SSL_CONNECT_ERROR;
+ schannel_cred->grbitEnabledProtocols |= SP_PROT_TLS1_3_CLIENT;
+ break;
+ //failf(data, "schannel: TLS 1.3 is not yet supported");
+ //return CURLE_SSL_CONNECT_ERROR;
}
}
return CURLE_OK;
Then build the win32 release curl executable, and ran that on both my
Windows 10 and Windows Server 2022 preview, I get errors:
On the Windows 10 Professional the error looks like this:
C:\src\WAVE\3rdparty\curl\7.83.1\win32\release>curl --tls-max 1.3 --tlsv1.3
https://www.google.com
curl: (56) Failure when receiving data from the peer
On the Windows Server 2022 preview the error looks like this:
C:\tools\curl-tls1.3>curl --tls-max 1.3 --tlsv1.3 https://www.google.com
curl: (35) schannel: AcquireCredentialsHandle failed:
SEC_E_ALGORITHM_MISMATCH (0x80090331) - The client and server cannot
communicate, because they do not possess a common algorithm.
https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-
Tuomas Kaikkonen
Principal Software Engineer, WAVE Core, Motorola Solutions
3131 Elliott Ave, Suite 200, Seattle, WA 98121
phone: (425) 919-8973
-- *For more information on how and why we collect your personal information, please visit our Privacy Policy <https://www.motorolasolutions.com/en_us/about/privacy-policy.html?elqTrackId=8980d888905940e39a2613a7a3dcb0a7&elqaid=2786&elqat=2#privacystatement>.*
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2022-06-08