curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

TLS 1.3 with schannel

From: Tuomas Kaikkonen via curl-library <>
Date: Wed, 8 Jun 2022 08:05:56 -0700

Is there a plan to support TLS 1.3 with SChannel on Windows?
I have tried just enabling the TLS 1.3 in the curl sources and run it on
Windows Server 2022 evaluation and Windows 11 Enterprise evaluation
versions. Both failed with errors telling no cipher could be found that
matches the client and server requirements. I tested against
setting the minimum and maximum TLS versions both to 1.3 -- I then looked
for reasons in the web, and found articles stating that the SCHANNEL_CRED
is deprecated and SCH_CREDENTIALS structure should be used instead of the
deprecated SCHANNEL_CRED. Simply doing a replacement of

Here is my findings:

Looks like the curl schannel.c has to be patched to use different type in
order for the Windows 11 to support TLS 1.3 in schannel. "In order to use
TLS 1.3 with schannel, you should use the SCH_CREDENTIALS structure instead
of the SCHANNEL_CRED structure with AcquireCredentialsHandle().
SCH_CREDENTIALS - Win32 apps | Microsoft Docs

   - SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_3_CLIENT;

The SCHANNEL_CRED structure has been deprecated. Starting with Windows 10,
1809 (October 2018 Update), you should use SCH_CREDENTIALS. and you’ll
notice that you can not specify protocol versions with SCH_CREDENTIALS.
Beacause you have configured Windows 11 correctly, schannel will use the
latest version of TLS so 1.3 will be used. Thank you."

I downloaded evaluation version of Windows 11 Enterprise from
and just enabling TLS 1.3 on curl sources was not enough. It'll be probably
a bigger change curl maintainers have to do to change from SCHANNEL_CRED to
SCH_CREDENTIALS struct type.

When I tried to enable TLS 1.3 in curl with SChannel by modifying the
lib\vtls\schannel.c file:
diff --git a/3rdparty/curl/7.83.1/lib/vtls/schannel.c
index 3d2f010753..31b7127712 100644
--- a/3rdparty/curl/7.83.1/lib/vtls/schannel.c
+++ b/3rdparty/curl/7.83.1/lib/vtls/schannel.c
_at__at_ -196,8 +196,10 _at__at_ set_ssl_version_min_max(SCHANNEL_CRED *schannel_cred,
struct Curl_easy *data,
       schannel_cred->grbitEnabledProtocols |= SP_PROT_TLS1_2_CLIENT;
     case CURL_SSLVERSION_TLSv1_3:
- failf(data, "schannel: TLS 1.3 is not yet supported");
+ schannel_cred->grbitEnabledProtocols |= SP_PROT_TLS1_3_CLIENT;
+ break;
+ //failf(data, "schannel: TLS 1.3 is not yet supported");
   return CURLE_OK;

Then build the win32 release curl executable, and ran that on both my
Windows 10 and Windows Server 2022 preview, I get errors:

On the Windows 10 Professional the error looks like this:
C:\src\WAVE\3rdparty\curl\7.83.1\win32\release>curl --tls-max 1.3 --tlsv1.3
curl: (56) Failure when receiving data from the peer

On the Windows Server 2022 preview the error looks like this:
C:\tools\curl-tls1.3>curl --tls-max 1.3 --tlsv1.3
curl: (35) schannel: AcquireCredentialsHandle failed:
SEC_E_ALGORITHM_MISMATCH (0x80090331) - The client and server cannot
communicate, because they do not possess a common algorithm.

Tuomas Kaikkonen
Principal Software Engineer, WAVE Core, Motorola Solutions
3131 Elliott Ave, Suite 200, Seattle, WA 98121
phone: (425) 919-8973

*For more information on how and why we collect your personal 
information, please visit our Privacy Policy 

Received on 2022-06-08