Archive
TLS v1.3 support finally on Windows!
As some of you may know I developed and maintain a set of C++ classes called SSLWrappers to encapsulate the TLS / SSL functionality exposed by Windows through it’s Schannel SSPI component. This provides the built-in TLS functionality in Windows and is roughly equivalent to the OpenSSL library in the Open-Source world. I have used Schannel and my support classes in a number of work and personal projects, and because it is built in to Windows is one less third party library you need to pull into your projects when you require low level TLS functionality. I actively use the SSLWrappers classes in my W3MFC, CPJNPOP3Connection and CPJNSMTPConnection Open-Source libraries. Chromium on Windows, Edge (as well as the newer “Edge on Chromium”), Internet Explorer and IIS all use SChannel internally for their TLS functionality. Also many of the higher level components in Windows such as WinHTTP and Windows Update internally also use Schannel for their HTTPS functionality.
The latest revision of TLS namely v1.3 was ratified as RFC 8446 back in August 2018. I have been monitoring new versions of Windows 10 client and Windows Server since mid 2018 to see when they would support TLS v1.3. The most recent references I can find from Microsoft about modernizing TLS in Windows is https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/ from October 2018 but this only makes oblique references to if / when TLS v1.3 will be available on Windows.
What I have just discovered and can now reveal today probably for the first time by anyone outside of Microsoft is that TLS v1.3 is now included inbox in Windows 10 v1903 and Windows Server 1903. By default support for TLS v1.3 is disabled in these versions of Windows but if you enable it using the expected registry values for TLS v1.3 Schannel you can get it to work.
To enable TLS v1.3 in either of these versions of Windows you should import the following registry file into your registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001
This will enable the client side of TLS v1.3 in Windows and a reboot is not required for these changes to take effect, which is nice. If you want you can substitute the “Client” value above for “Server” and then import it also. The latter import will enable the server side of TLS v1.3 on Windows. Note that importing this .reg file on earlier versions of Windows such as Windows 10 1809 or Window Server 1809 seems to have no effect, meaning that TLS v1.3 is not supported on these earlier versions of Windows.
To test out TLS v1.3 support, you should then take the SSLWrappers sample app of mine and modify the code to include the additional line in red below at about line number 1079 and recompile:
//Create the credentials
SSLWrappers::CCachedCredentials credentials;
memset(&credentials.m_sslCredentials, 0, sizeof(credentials.m_sslCredentials));
credentials.m_sslCredentials.dwVersion = SCHANNEL_CRED_VERSION;
credentials.m_sslCredentials.grbitEnabledProtocols = SP_PROT_TLS1_3;
if (g_bManualServerCertificateValidation) //If we want to do manual server certificate validation, then ask SChannel not to do it automatically for us
credentials.m_sslCredentials.dwFlags = SCH_CRED_MANUAL_CRED_VALIDATION;
status = credentials.Acquire(SECPKG_CRED_OUTBOUND, &credentials.m_sslCredentials);
Adding this line will force the demo app to only negotiate using TLS v1.3 and not to fall back to TLS v1.2 or lower. Then if you use the command line:
SSLWrappersDemo.exe 0 www.google.com 443
the demo app will try to make a TLS v1.3 connection to www.google.com. What you should see on Windows 10 1903 and Server 1903 is the following:
Connecting to http://www.google.com:443
Performing SSL client handshake
–SECPKG_ATTR_CONNECTION_INFO_EX_V1 details–
Version: 0x1
Protocol: TLS v1.3
Cipher: AES
Cipher Strength: 0x100
Hash:
Hash Strength: 0x0
Exchange:
Exchange Strength: 0x0
–SECPKG_ATTR_CONNECTION_INFO details–
Protocol: TLS v1.3
Cipher: AES
Cipher strength: 256
Hash: SHA-384
Hash strength: 0
Key exchange algorithm identifier: 0x0, Class:0, Type:0, SID:0
Key exchange strength: 0
–SECPKG_ATTR_CIPHER_INFO details–
Version: 0x1
Protocol: 0x304
Cipher Suite: 0x1302
Base Cipher Suite: 0x1302
Cipher Suite: TLS_AES_256_GCM_SHA384
Cipher: AES
Cipher Length: 256
Cipher Block Length: 16
Hash:
Hash Length: 0x0
Exchange:
Exchange Min Length: 0
Exchange Max Length: 0
Certificate:
Key Type: 0x1d
–SECPKG_ATTR_APP_DATA details–
Session app data: Length:0,
…
This shows the sample app negotiating a TLS v1.3 connection to google.com using the TLS_AES-256-GCM_SHA384 cipher. FYI, TLS v1.3 has a much reduced set of supported ciphers. I have tried other TLS v1.3 servers on the Internet as documented at https://github.com/tlswg/tls13-spec/wiki/Implementations#test-servers but the only one I could get to work was www.google.com. If you try running the same modified version of the SSLWrappers demo app on earlier versions of Windows you will see it consistently failing while attempting the client TLS handshake with any TLS v1.3 server. Most of the other servers I tried failed when trying to negotiate the client TLS handshake. I also could get the client run of the demo app to connect to the server implementation of TLS v1.3 using the command line:
SSLWrappersDemo.exe 0 localhost 443
to run the server and then using the following command line to connect to that server as a client:
SSLWrappersDemo.exe 1 localhost 443
Please see the documentation for SSLWrappers on how to setup and test the code and certificates for this loopback test.
This investigation proves that Microsoft is shipping a functional TLS v1.3 implementation in their most current version of Windows client and server, but it remains to be seen when Microsoft will officially announce this support. It could even be the case that it will not be officially supported by MS until the next release of Windows 10 and Windows Server in Q3 2019. Come on Microsoft, tell us when we can start officially using TLS v1.3 on Windows.
Happy Coding!
Broadband Update, FTTH at last!
Finally, as of October 2018, I now have a 1Gb Fibre To The Home (FTTH) package with Eir. The speed of the package is amazing and I have a custom built 2U pfSense router bought from ComputerPlanet.co.uk instead of the Eir supplied F2000 device to do the routing for the connection. I have been following the build out of the Rural FTTH network from Eir over the last few months on boards.ie and it finally arrived in my local village this summer. The fibre cable was brought in overhead from a telegraph pole just in front of my house to the gable of my house and the engineer did a really neat job hiding the cable behind the facia board before it went inside the house. The cost is €70 per month and there is no downloads limits but there is a fair usage policy. I have also requested a static IP address from Eir. Prior to getting FTTH I have also ported my landline to VoIP a number of months ago and that is with IrishVoip.com.
June Dublin C/C++ User Group Presentation
On Monday this week I did a presentation on my JSON++ library to the Dublin C/C++ User Group. The PowerPoint deck of my presentation is available here for those interested. A recording of the meetup should be available on the groups meetup page shortly.
March Dublin C++ User Group Presentation
On Monday this week I did a presentation on using OpenStreetMap and various Microsoft technologies to the Dublin C++ User Group in Dublin. It provided an introduction to OpenStreetMap the project and then went through my OSMCtrl application which demoed a number of Microsoft Technologies such as Direct2D, Windows Animations, Windows Sensors, MFC and using WinHTTP to make web services calls. A big thanks to Mihai Todor and the fellow organisers who faciliated the meetup. The PowerPoint deck of my presentation is available here for those interested. A recording of the meetup should be available on the groups meetup page shortly.
OSMCtrl & User Agent string usage
Just got an email from Matthias Meißer, who is one of the sysadmins on OpenStreetmap that my COSMCtrl control appears high up in the list of User Agent strings which hit the OpenStreetmap slippy tile server. He informed me that they employ various techniques which are based on the User Agent string of client applications to control their bandwidth requirements. If you are considering integrating COSMCtrl into your client app, then please ensure that you use your own unique string for your applications User Agent string so that it will not be blocked because of some one else abusing the same string. To change the User Agent string you can use the COSMCtrl::SetUserAgent method. The default value will be taken from the MFC application using the global method AfxGetAppName().
Happy OSMing!.
Irish SQL Server User Group Presentation
On Tuesday this week I did a presentation on using SQLCLR to the Irish SQL Server User Group up in Dublin. It provided a simple developer based introduction on how to write plug-ins for SQL Server 2005 & 2008. The example I developed from first principles was a SHA-256 hash User Defined Type. This was a repeat of the presentation which I did to the Cork Microsoft Technology User Group back in April 2009. I updated the slide deck to mention some of the new SQLCLR features in SQL 2008 R2 but the presentation was a general developer introduction. I also raffled off a couple of copies of my SQL Server XP book as prizes for filling in the evaluation forms. A big thanks to my fellow MVP Niall Flanagan who handles the SQL Server User Group who facilitated me to do the presentation.
My New Development Machine + Windows 7
Just a note to let you all know that I had done a write up of my new dev machine on my web site at http://www.naughter.com/computers.html. Here’s the details:
An Intel Core i7 Quad Extreme Processor. This is the top of the range Core i7-965 processor running at 3.2GHz with 4 cores and 8 threads. I also used a Zalman CNP9900 LED CPU Cooler. The whole blue glow from the various fans inside the case is very cool looking thro the clear side window in the case.
An Asus P6T6 WS Revolution Workstation Motherboard
6 sticks of 2GB Corsair XMS3 DDR 1600Mhz 2PC3200 memory. This provides a total of 12GB of main memory and can take advantage of the triple channel memory support of the X58 motherboard.
2 Western Digital VelociRaptor 10000RPM 300GB SATA drives in a RAID0 array giving, this gives a really fast setup for my boot partition.
1 Western Digital Caviar 2TB SATA2 drive as a “data” drive
A factory Overclocked EVGA GeForce GTX 295 Graphics card
Gigabyte 3D Mars Silver Big Tower Case
Corsair 1000 Watt Powersupply
The OS installed is Windows 7 x64 Release Candidate. I will be updating it to the gold version when it is released (hopefully without having to do a fresh reinstall)
LG DVD_RW Blue-Ray & HD-DVD Drive.
2 DELL 30″ 3008WFP LCD monitors. This provides a lovely multi monitor solution with each display running at its native resolution of 2560 * 1600!
This machine is a pretty high end rig and should serve my very well for development purposes going forward. With the amount of memory onboard it should be easily able to handle a number of simultaneous virtual machines which is always handy for testing purposes. Since installing Windows 7 on it, I must admit that MS really has got it right after the whole Vista debacle. Everything just fits together nicely and performance is very good. The only thing I still pine for is the XP style Classic Start menu which has been completely removed from Windows 7. With the new Pin to TaskBar functionality and such large monitors I rarely ever use the start menu anyway now, instead preferring to use the taskbar shortcuts directly for my most used programs. The other thing I miss is not having the Start-> Run command easily available. I’m sure if I Googled that I could find a command line shortcut to make it available via a pinned shortcut on the taskbar. UAC on 7 seems to be much more toned down than Vista which helps to make you day to day experience a whole lot more pleasant. The Virtual Windows XP in Windows 7 is a really great feature and has already helped me to keep my old Desktop printer going as well as being able to use the Cisco VPN client which is only available for x86 versions of Windows. I’ve also run a few games on the new PC to give it a good try out. I’ve tried Crysis, Racedriver Grid and Far Cry 2 and the visuals in these games are absolutely stunning. PC gaming technology has really progressed in the last few years. I would also like to thank my accounts manager at Komplett, namely Rafal Cyranski for their great service. They’re truly a great company to do business with.
Broadband Update
Just today I got a new broadband connection via Wireless. The company is a small local company called Alpha Broadband located in Courtown Harbour which is just 10 KM north from my location. I have been talking to the manager of the local Wind farm on and off for the last year about using their meteorological mast to install a Wireless Access Point for the local area and finally this week, it is now installed and up and running. For €75 a month I get a 3Mbps downstream / 512 kbps upstream package. Due to the fact that the access point at the wind farm is not too high up on the mast as well as the fact that there are some intervening trees between my location and the access point, the installer had some initial difficulties getting a reliable connection going. But once he raised the unit high enough on the TV pole on my house’s gable end, the connection started to come in loud and clear. Alpha Telecom terminate the connection using a standard Ethernet connection, which the average user will just plug into their computer’s network port. I purchased a Linksys RV042 Router to provide the firewalling and NAT for the computers on my LAN. If you live between Ballygarrett and Kilmuckridge and currently cannot get broadband via the phone line, then certainly give Alpha Broadband a call to see if they can get you on the Internet.
Broadband Update
Just to let you all know that I have finally got my DSL broadband connection up and running reliably at 1MB downstream and 256 upstream. As I have posted earlier the ISP I went with is Eircom. I have just a few days ago decommissioned my Satellite connection with Educom. It was a good service when I had no choice, but it is great to have a low latency connection meaning that I can use programs such as Skype and Voipcheap.com. I’ve setup my Pocket PC with Skype and now I can make pretty cheap VoIP calls wirelessly throughout the house.
Broadband in the Backwoods!!
I have been trying to get a number of Wifi Service Providers to set-up in the local area, but so far none have been able to provide connectivity for my local area. Companies I know of, which provide Wifi connections in the North Wexford area where I live include:
I’m still talking with Alpha Broadband with a view to setting up an access point at the local Ballywater wind farm near where I live. Hopefully something will come of this.
Anyway, it turns out that Eircom, which is the main telecom company here in Ireland have been doing upgrade work over the last few months, to the phone lines between my house and the local exchange which is 5.1 KM away as the phone lines run. Last year, I got my phone line testing for broadband and it failed. I assumed it was the distance which was causing the failure (as DSL starts to run out of steam at around the 5KM mark) and left it at that. But just recently a next door neighbor was able to get DSL following an engineers site visit. It turns out that a lot of phone lines which were installed a long time ago in the local area were so called "Multichannel Carrier Lines". These are where a single line from the exchange is split into 4 separate lines on a telephone pole close to your house. These 4 lines then serve separate households. These type of lines are completely unsuitable for broadband and even affect the rates you get when on ordinary dial-up to the Internet. One neighbor I know is lucky if he gets 33.6K when he connects via dial-up!.
If you can get a new standard ordinary cable installation phone line or get your existing line converted to this, then even at over 5 KM from the local exchange you stand a good chance of getting DSL. Just last night I was helping out a neighbor with their broadband connection and they would be just 400 meters or so closer to the exchange than myself. I was surprised to see that the DSL router was reporting that it was connecting at 2MB downstream.
After dealing with Eircom support before Christmas, they advised that I get a new standard phone line and hopefully I should then be able to get broadband on it. At a later date, I could then transfer my existing phone number to the new line and decommission the existing one. An Eircom engineer duly arrived last week and installed the new line. I had a good chat with the engineer and he was able to give me a lot of good information on how the physical phone line systems are constructed. Once the line was commissioned by the engineer, I went back to the Eircom web site and checked the line for comparability with broadband. Initially it said it was unable to determine the capability and the engineer said it was best to give it a day or two before you try to apply again. Later in the week, I tested the line again and this time it failed. Now I had two phone lines and neither were compatible with broadband. To say I was feeling let down was an understatement of the month.
After giving out about about the state of broadband in the local Strand Bar pub one night to some fellow pub-quizzers, one person suggested that I talk to one of my neighbors who happened to be a senior engineer with Eircom. I do not know what magic or pixie dust he used, but just today, the online test says that my phone line is now suitable for broadband subject to confirmation. The highest spec package it said my line was suitable for was 2 MB downstream and 256K upstream, which I’ll take any day of the week.
Hopefully I should be getting my self-install pack from Eircom in the next few days which includes a standard Netopia 3300 DSL Wireless Router. I will keep you informed of my luck with finally getting properly on the Information Superhighway.
PJ Naughter's space 