@jay @MarcelRaad please give this PR a glance!

Looks good to me now except for the build break with Visual Studio 2008 (see AppVeyor), and I'd feel more comfortable if we had our MinGW CI on Azure Pipelines back up before merging.

Looks good to me now except for the build break

We need to investigate why it's necessary to set pDisabledCrypto, that does not make sense to me. It seems as though the MS TLS 1.3 support is half baked if it requires explicitly disabling certain TLS 1.3 algorithms.

"This branch cannot be rebased due to conflicts"

Please rebase (and feel free to squash into fewer commits) and force-push to this branch.

@bagder Merged with upstream "master". Should be good to go.

We rebase and do a clean and "straight" commit history when we merge. So it needs to rebase without conflict.

Ok.

I gotta be honest, at our company we merge PRs with full history, so I have little experience with the git magic in re-writing the history. And the git docs are as clear as mud on this point.

So, if I have time at the end of today I'll work on it. Otherwise I'll work on it sometime next week.

We need to investigate why it's necessary to set pDisabledCrypto, that does not make sense to me. It seems as though the MS TLS 1.3 support is half baked if it requires explicitly disabling certain TLS 1.3 algorithms.

I still think one of us familiar with Windows should investigate this before landing. Basically we need to know how Windows 10 and 11 TLS 1.3 behaves without explicitly disabling any ciphers.

Microsoft distribute curl.exe with SChannel with Windows 10, pehaps they can help curl team !

@bagder @jay Should I do the work of squashing the commits so it can be merged? Or should I wait for more reviews by other users?

I'm getting mixed signals.

Does this work by adding TLS 1.3 to curl with SChannel? Yes. (We're using it in production right now).

Does this use all the publicly available documentation and implement it based on that? Also, yes.

Is the SChannel API a black-box with shitty public documentation? Also, yes.

Please squash. If you run into squash errors that look time consuming then try working from a temporary branch based off of upstream/master.

git fetch upstream
git checkout -b temp upstream/master
git merge --squash schannel-ng
git commit # consolidate commit messages into one
git checkout schannel-ng
git reset --hard temp
git branch -D temp
git push -f origin

I'm assuming in this example that remotes upstream => curl/curl and origin => wyattoday/curl

@wyattoday @jay any update on this :)?

This will be wonderfull if this feature can be included in next version @wyattoday

Sorry, been super busy. I’ll get to this end of next week.

We need to investigate why it's necessary to set pDisabledCrypto, that does not make sense to me. It seems as though the MS TLS 1.3 support is half baked if it requires explicitly disabling certain TLS 1.3 algorithms.

I own schannel. There is no need to disable algorithms. Unsupported cipher suites, etc., obviously, won't get negotiated.

@Andrei-Popov

I own schannel.

You work at MS?

There is no need to disable algorithms. Unsupported cipher suites, etc., obviously, won't get negotiated.

Do you happen to have a link (or a reference to any public documentation) that says as much?

The docs I’ve read are all public (obviously — I don’t work at MS) and suggest the opposite. But I would happy to be proven wrong (because it makes more sense for the way I’ve implemented it right now to be the wrong way).

It’s not that I don’t believe you, it’s just that it would better to have canonical sources that can be referred to rather than (a) guesses (b) referencing other source code examples {what I did here} or (c) lore passed down in mailing lists and issues trackers.

I fixed 2 bugs in the code since I said it was ready to merge.

1. Added the missing SSLSUPP_TLS13_CIPHERSUITES flag so curl knows you can pass in those ciphers.
2. Loop over all possible TLS 1.3 ciphers (rather than just the first 3) when passing in explicit ciphers.

Again, looks good to my eyes. It's being used in production here. It's ready for additional review and/or merging.

The Visual Studio 2008 and classic MinGW compilation failures are a problem. There were fixes for them in #8927.

@MarcelRaad Fixed the VS2008 / MingW issues. Passed all the compilation and relevant tests (there seems to be bugs in CI configuration on some tests unrelated to any changes in this PR).

Just squashed it into a single commit to be ready for merge with "main".

Any other comments or review are welcomed. Ready for merge otherwise.

Just updated the docs as well. So, if no further comments, this is ready to merge as-is without requiring any additional work.

The only thing to be aware of is that in docs/libcurl/opts/CURLOPT_TLS13_CIPHERS.3 I said it was "Added in 7.85.0 for SChannel.". This presumes this PR is merged for that release.

If that's not that case then that will have to be changed.

@wyattoday @bagder Any comments for this merge request? Pretty excited to have this feature in git bash.

For me, this PR is correct

LGTM. CI failures are unrelated and being addressed in other PRs. Thanks!

You work at MS?

Yes.

@Andrei-Popov can you ask people who package the c:\Windows\System32\curl.exe build packaged with Windows 11/2022 update it to curl 7.85 when it'll be released?

regards