Archive

Archive for the ‘Computers and Internet’ Category

TLS v1.3 support finally on Windows!

May 23, 2019 Comments off

As some of you may know I developed and maintain a set of C++ classes called SSLWrappers to encapsulate the TLS / SSL functionality exposed by Windows through it’s Schannel SSPI component. This provides the built-in TLS functionality in Windows and is roughly equivalent to the OpenSSL library in the Open-Source world. I have used Schannel and my support classes in a number of work and personal projects, and because it is built in to Windows is one less third party library you need to pull into your projects when you require low level TLS functionality. I actively use the SSLWrappers classes in my W3MFC, CPJNPOP3Connection and CPJNSMTPConnection Open-Source libraries. Chromium on Windows, Edge (as well as the newer “Edge on Chromium”), Internet Explorer and IIS all use SChannel internally for their TLS functionality. Also many of the higher level components in Windows such as WinHTTP and Windows Update internally also use Schannel for their HTTPS functionality.

The latest revision of TLS namely v1.3 was ratified as RFC 8446 back in August 2018. I have been monitoring new versions of Windows 10 client and Windows Server since mid 2018 to see when they would support TLS v1.3. The most recent references I can find from Microsoft about modernizing TLS in Windows is https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/ from October 2018 but this only makes oblique references to if / when TLS v1.3 will be available on Windows.

What I have just discovered and can now reveal today probably for the first time by anyone outside of Microsoft is that TLS v1.3 is now included inbox in Windows 10 v1903 and Windows Server 1903. By default support for TLS v1.3 is disabled in these versions of Windows but if you enable it using the expected registry values for TLS v1.3 Schannel you can get it to work.

To enable TLS v1.3 in either of these versions of Windows you should import the following registry file into your registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001

This will enable the client side of TLS v1.3 in Windows and a reboot is not required for these changes to take effect, which is nice. If you want you can substitute the “Client” value above for “Server” and then import it also. The latter import will enable the server side of TLS v1.3 on Windows. Note that importing this .reg file on earlier versions of Windows such as Windows 10 1809 or Window Server 1809 seems to have no effect, meaning that TLS v1.3 is not supported on these earlier versions of Windows.

To test out TLS v1.3 support, you should then take the SSLWrappers sample app of mine and modify the code to include the additional line in red below at about line number 1079 and recompile:

//Create the credentials
SSLWrappers::CCachedCredentials credentials;
memset(&credentials.m_sslCredentials, 0, sizeof(credentials.m_sslCredentials));
credentials.m_sslCredentials.dwVersion = SCHANNEL_CRED_VERSION;
credentials.m_sslCredentials.grbitEnabledProtocols = SP_PROT_TLS1_3;
if (g_bManualServerCertificateValidation) //If we want to do manual server certificate validation, then ask SChannel not to do it automatically for us
  credentials.m_sslCredentials.dwFlags = SCH_CRED_MANUAL_CRED_VALIDATION;
status = credentials.Acquire(SECPKG_CRED_OUTBOUND, &credentials.m_sslCredentials);

Adding this line will force the demo app to only negotiate using TLS v1.3 and not to fall back to TLS v1.2 or lower. Then if you use the command line:

SSLWrappersDemo.exe 0 www.google.com 443

the demo app will try to make a TLS v1.3 connection to www.google.com. What you should see on Windows 10 1903 and Server 1903 is the following:

Connecting to http://www.google.com:443
Performing SSL client handshake
–SECPKG_ATTR_CONNECTION_INFO_EX_V1 details–
Version: 0x1
Protocol:
TLS v1.3
Cipher: AES
Cipher Strength: 0x100
Hash:
Hash Strength: 0x0
Exchange:
Exchange Strength: 0x0
–SECPKG_ATTR_CONNECTION_INFO details–
Protocol: TLS v1.3
Cipher: AES
Cipher strength: 256
Hash: SHA-384
Hash strength: 0
Key exchange algorithm identifier: 0x0, Class:0, Type:0, SID:0
Key exchange strength: 0
–SECPKG_ATTR_CIPHER_INFO details–
Version: 0x1
Protocol: 0x304
Cipher Suite: 0x1302
Base Cipher Suite: 0x1302
Cipher Suite: TLS_AES_256_GCM_SHA384
Cipher: AES
Cipher Length: 256
Cipher Block Length: 16
Hash:
Hash Length: 0x0
Exchange:
Exchange Min Length: 0
Exchange Max Length: 0
Certificate:
Key Type: 0x1d
–SECPKG_ATTR_APP_DATA details–
Session app data: Length:0,

 

This shows the sample app negotiating a TLS v1.3 connection to google.com using the TLS_AES-256-GCM_SHA384 cipher. FYI, TLS v1.3 has a much reduced set of supported ciphers. I have tried other TLS v1.3 servers on the Internet as documented at https://github.com/tlswg/tls13-spec/wiki/Implementations#test-servers but the only one I could get to work was www.google.com. If you try running the same modified version of the SSLWrappers demo app on earlier versions of Windows you will see it consistently failing while attempting the client TLS handshake with any TLS v1.3 server. Most of the other servers I tried failed when trying to negotiate the client TLS handshake. I also could get the client run of the demo app to connect to the server implementation of TLS v1.3 using the command line:

SSLWrappersDemo.exe 0 localhost 443

to run the server and then using the following command line to connect to that server as a client:

SSLWrappersDemo.exe 1 localhost 443

Please see the documentation for SSLWrappers on how to setup and test the code and certificates for this loopback test.

This investigation proves that Microsoft is shipping a functional TLS v1.3 implementation in their most current version of Windows client and server, but it remains to be seen when Microsoft will officially announce this support. It could even be the case that it will not be officially supported by MS until the next release of Windows 10 and Windows Server in Q3 2019. Come on Microsoft, tell us when we can start officially using TLS v1.3 on Windows.

 

Happy Coding!

Advertisements

Broadband Update, FTTH at last!

October 23, 2018 Comments off

Finally, as of October 2018, I now have a 1Gb Fibre To The Home (FTTH) package with Eir. The speed of the package is amazing and I have a custom built 2U pfSense router bought from ComputerPlanet.co.uk instead of the Eir supplied F2000 device to do the routing for the connection. I have been following the build out of the Rural FTTH network from Eir over the last few months on boards.ie and it finally arrived in my local village this summer. The fibre cable was brought in overhead from a telegraph pole just in front of my house to the gable of my house and the engineer did a really neat job hiding the cable behind the facia board before it went inside the house. The cost is €70 per month and there is no downloads limits but there is a fair usage policy. I have also requested a static IP address from Eir. Prior to getting FTTH I have also ported my landline to VoIP a number of months ago and that is with IrishVoip.com.

June Dublin C/C++ User Group Presentation

June 12, 2018 Comments off

On Monday this week I did a presentation on my JSON++ library to the Dublin C/C++ User Group. The PowerPoint deck of my presentation is available here for those interested. A recording of the meetup should be available on the groups meetup page shortly.

March Dublin C++ User Group Presentation

March 6, 2018 1 comment

On Monday this week I did a presentation on using OpenStreetMap and various Microsoft technologies to the Dublin C++ User Group in Dublin. It provided an introduction to OpenStreetMap the project and then went through my OSMCtrl application which demoed a number of Microsoft Technologies such as Direct2D, Windows Animations, Windows Sensors, MFC and using WinHTTP to make web services calls. A big thanks to Mihai Todor and the fellow organisers who faciliated the meetup. The PowerPoint deck of my presentation is available here for those interested. A recording of the meetup should be available on the groups meetup page shortly.

OSMCtrl & User Agent string usage

October 30, 2011 Comments off

Just got an email from Matthias Meißer, who is one of the sysadmins on OpenStreetmap that my COSMCtrl control appears high up in the list of User Agent strings which hit the OpenStreetmap slippy tile server. He informed me that they employ various techniques which are based on the User Agent string of client applications to control their bandwidth requirements. If you are considering integrating COSMCtrl into your client app, then please ensure that you use your own unique string for your applications User Agent string so that it will not be blocked because of some one else abusing the same string. To change the User Agent string you can use the COSMCtrl::SetUserAgent method. The default value will be taken from the MFC application using the global method AfxGetAppName().

Happy OSMing!.

Irish SQL Server User Group Presentation

June 17, 2011 Comments off

On Tuesday this week I did a presentation on using SQLCLR to the Irish SQL Server User Group up in Dublin. It provided a simple developer based introduction on how to write plug-ins for SQL Server 2005 & 2008. The example I developed from first principles was a SHA-256 hash User Defined Type. This was a repeat of the presentation which I did to the Cork Microsoft Technology User Group back in April 2009. I updated the slide deck to mention some of the new SQLCLR features in SQL 2008 R2 but the presentation was a general developer introduction. I also raffled off a couple of copies of my SQL Server XP book as prizes for filling in the evaluation forms. A big thanks to my fellow MVP Niall Flanagan who handles the SQL Server User Group who facilitated me to do the presentation.

My New Development Machine + Windows 7

May 28, 2009 2 comments

Just a note to let you all know that I had done a write up of my new dev machine on my web site at http://www.naughter.com/computers.html. Here’s the details:

An Intel Core i7 Quad Extreme Processor. This is the top of the range Core i7-965 processor running at 3.2GHz with 4 cores and 8 threads. I also used a Zalman CNP9900 LED CPU Cooler. The whole blue glow from the various fans inside the case is very cool looking thro the clear side window in the case.

An Asus P6T6 WS Revolution Workstation Motherboard

6 sticks of 2GB Corsair XMS3 DDR 1600Mhz 2PC3200 memory. This provides a total of 12GB of main memory and can take advantage of the triple channel memory support of the X58 motherboard.

2 Western Digital VelociRaptor 10000RPM 300GB SATA drives in a RAID0 array giving, this gives a really fast setup for my boot partition.

1 Western Digital Caviar 2TB SATA2 drive as a “data” drive

A factory Overclocked EVGA GeForce GTX 295 Graphics card

Gigabyte 3D Mars Silver Big Tower Case

Corsair 1000 Watt Powersupply

The OS installed is Windows 7 x64 Release Candidate. I will be updating it to the gold version when it is released (hopefully without having to do a fresh reinstall)

LG DVD_RW Blue-Ray & HD-DVD Drive.

2 DELL 30″ 3008WFP LCD monitors. This provides a lovely multi monitor solution with each display running at its native resolution of 2560 * 1600!

This machine is a pretty high end rig and should serve my very well for development purposes going forward. With the amount of memory onboard it should be easily able to handle a number of simultaneous virtual machines which is always handy for testing purposes. Since installing Windows 7 on it, I must admit that MS really has got it right after the whole Vista debacle. Everything just fits together nicely and performance is very good. The only thing I still pine for is the XP style Classic Start menu which has been completely removed from Windows 7. With the new Pin to TaskBar functionality and such large monitors I rarely ever use the start menu anyway now, instead preferring to use the taskbar shortcuts directly for my most used programs. The other thing I miss is not having the Start-> Run command easily available. I’m sure if I Googled that I could find a command line shortcut to make it available via a pinned shortcut on the taskbar. UAC on 7 seems to be much more toned down than Vista which helps to make you day to day experience a whole lot more pleasant. The Virtual Windows XP in Windows 7 is a really great feature and has already helped me to keep my old Desktop printer going as well as being able to use the Cisco VPN client which is only available for x86 versions of Windows. I’ve also run a few games on the new PC to give it a good try out. I’ve tried Crysis, Racedriver Grid and Far Cry 2 and the visuals in these games are absolutely stunning. PC gaming technology has really progressed in the last few years. I would also like to thank my accounts manager at Komplett, namely Rafal Cyranski for their great service. They’re truly a great company to do business with.