Home > Computers and Internet, Programming > TLS v1.3 support finally on Windows!

TLS v1.3 support finally on Windows!

May 23, 2019

As some of you may know I developed and maintain a set of C++ classes called SSLWrappers to encapsulate the TLS / SSL functionality exposed by Windows through it’s Schannel SSPI component. This provides the built-in TLS functionality in Windows and is roughly equivalent to the OpenSSL library in the Open-Source world. I have used Schannel and my support classes in a number of work and personal projects, and because it is built in to Windows is one less third party library you need to pull into your projects when you require low level TLS functionality. I actively use the SSLWrappers classes in my W3MFC, CPJNPOP3Connection and CPJNSMTPConnection Open-Source libraries. Chromium on Windows, Edge (as well as the newer “Edge on Chromium”), Internet Explorer and IIS all use SChannel internally for their TLS functionality. Also many of the higher level components in Windows such as WinHTTP and Windows Update internally also use Schannel for their HTTPS functionality.

The latest revision of TLS namely v1.3 was ratified as RFC 8446 back in August 2018. I have been monitoring new versions of Windows 10 client and Windows Server since mid 2018 to see when they would support TLS v1.3. The most recent references I can find from Microsoft about modernizing TLS in Windows is https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/ from October 2018 but this only makes oblique references to if / when TLS v1.3 will be available on Windows.

What I have just discovered and can now reveal today probably for the first time by anyone outside of Microsoft is that TLS v1.3 is now included inbox in Windows 10 v1903 and Windows Server 1903. By default support for TLS v1.3 is disabled in these versions of Windows but if you enable it using the expected registry values for TLS v1.3 Schannel you can get it to work.

To enable TLS v1.3 in either of these versions of Windows you should import the following registry file into your registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]

This will enable the client side of TLS v1.3 in Windows and a reboot is not required for these changes to take effect, which is nice. If you want you can substitute the “Client” value above for “Server” and then import it also. The latter import will enable the server side of TLS v1.3 on Windows. Note that importing this .reg file on earlier versions of Windows such as Windows 10 1809 or Window Server 1809 seems to have no effect, meaning that TLS v1.3 is not supported on these earlier versions of Windows.

To test out TLS v1.3 support, you should then take the SSLWrappers sample app of mine and modify the code to include the additional line in red below at about line number 1079 and recompile:

//Create the credentials
SSLWrappers::CCachedCredentials credentials;
memset(&credentials.m_sslCredentials, 0, sizeof(credentials.m_sslCredentials));
credentials.m_sslCredentials.dwVersion = SCHANNEL_CRED_VERSION;
credentials.m_sslCredentials.grbitEnabledProtocols = SP_PROT_TLS1_3;
if (g_bManualServerCertificateValidation) //If we want to do manual server certificate validation, then ask SChannel not to do it automatically for us
  credentials.m_sslCredentials.dwFlags = SCH_CRED_MANUAL_CRED_VALIDATION;
status = credentials.Acquire(SECPKG_CRED_OUTBOUND, &credentials.m_sslCredentials);

Adding this line will force the demo app to only negotiate using TLS v1.3 and not to fall back to TLS v1.2 or lower. Then if you use the command line:

SSLWrappersDemo.exe 0 www.google.com 443

the demo app will try to make a TLS v1.3 connection to www.google.com. What you should see on Windows 10 1903 and Server 1903 is the following:

Connecting to http://www.google.com:443
Performing SSL client handshake
Version: 0x1
TLS v1.3
Cipher: AES
Cipher Strength: 0x100
Hash Strength: 0x0
Exchange Strength: 0x0
Protocol: TLS v1.3
Cipher: AES
Cipher strength: 256
Hash: SHA-384
Hash strength: 0
Key exchange algorithm identifier: 0x0, Class:0, Type:0, SID:0
Key exchange strength: 0
Version: 0x1
Protocol: 0x304
Cipher Suite: 0x1302
Base Cipher Suite: 0x1302
Cipher Suite: TLS_AES_256_GCM_SHA384
Cipher: AES
Cipher Length: 256
Cipher Block Length: 16
Hash Length: 0x0
Exchange Min Length: 0
Exchange Max Length: 0
Key Type: 0x1d
Session app data: Length:0,


This shows the sample app negotiating a TLS v1.3 connection to google.com using the TLS_AES-256-GCM_SHA384 cipher. FYI, TLS v1.3 has a much reduced set of supported ciphers. I have tried other TLS v1.3 servers on the Internet as documented at https://github.com/tlswg/tls13-spec/wiki/Implementations#test-servers but the only one I could get to work was www.google.com. If you try running the same modified version of the SSLWrappers demo app on earlier versions of Windows you will see it consistently failing while attempting the client TLS handshake with any TLS v1.3 server. Most of the other servers I tried failed when trying to negotiate the client TLS handshake. I also could get the client run of the demo app to connect to the server implementation of TLS v1.3 using the command line:

SSLWrappersDemo.exe 0 localhost 443

to run the server and then using the following command line to connect to that server as a client:

SSLWrappersDemo.exe 1 localhost 443

Please see the documentation for SSLWrappers on how to setup and test the code and certificates for this loopback test.

This investigation proves that Microsoft is shipping a functional TLS v1.3 implementation in their most current version of Windows client and server, but it remains to be seen when Microsoft will officially announce this support. It could even be the case that it will not be officially supported by MS until the next release of Windows 10 and Windows Server in Q3 2019. Come on Microsoft, tell us when we can start officially using TLS v1.3 on Windows.


Happy Coding!

%d bloggers like this: