Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Problem adding TLS 1.3 support on curl - schannel on Windows 21H2 preview
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Geoff Beier via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 29 Apr 2021 12:55:13 -0400
Hi,
I pulled your branch and gave it a quick test on current Windows 10. I
saw the same behavior you did.
On Apr 29 2021, at 3:45 am, Gilles Vollant via curl-library
<curl-library_at_cool.haxx.se> wrote:
> I got error:
>
> schannel: AcquireCredentialsHandle failed: SEC_E_ALGORITHM_MISMATCH
> (0x80090331) - The client and server cannot communicate, because they
> do not possess a common algorithm.
>
That was happening because TLSv1.3 is disabled by default on my system.
Adding the following to the registry caused it to be enabled:
```
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
```
Once I did that, I ran into a new error:
"schannel: can't renegotiate, encrypted data available."
By commenting out this check:
https://github.com/gvollant/curl/blob/2aff6e13896de391f2487e87f2632d44edb97898/lib/vtls/schannel.c#L1959
I was able to proceed and negotiate a TLS 1.3 connection with the akamai server.
I don't know enough about the schannel backend to propose a correct fix,
though, and that is almost certainly not it.
I hope it helps someone who does know enough see where to look next.
Best,
Geoff
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-04-29
Date: Thu, 29 Apr 2021 12:55:13 -0400
Hi,
I pulled your branch and gave it a quick test on current Windows 10. I
saw the same behavior you did.
On Apr 29 2021, at 3:45 am, Gilles Vollant via curl-library
<curl-library_at_cool.haxx.se> wrote:
> I got error:
>
> schannel: AcquireCredentialsHandle failed: SEC_E_ALGORITHM_MISMATCH
> (0x80090331) - The client and server cannot communicate, because they
> do not possess a common algorithm.
>
That was happening because TLSv1.3 is disabled by default on my system.
Adding the following to the registry caused it to be enabled:
```
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
```
Once I did that, I ran into a new error:
"schannel: can't renegotiate, encrypted data available."
By commenting out this check:
https://github.com/gvollant/curl/blob/2aff6e13896de391f2487e87f2632d44edb97898/lib/vtls/schannel.c#L1959
I was able to proceed and negotiate a TLS 1.3 connection with the akamai server.
I don't know enough about the schannel backend to propose a correct fix,
though, and that is almost certainly not it.
I hope it helps someone who does know enough see where to look next.
Best,
Geoff
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-04-29