Solution is reading



https://www.microsoft.com/security/blog/2020/08/20/taking-transport-layer-se
curity-tls-to-the-next-level-with-tls-1-3/



https://docs.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-scha
nnel_cred

must be replaced by



https://docs.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-sch_
credentials





De : Gilles Vollant <***@gmail.com>
Envoyé : jeudi 29 avril 2021 09:46
À : 'curl-***@cool.haxx.se' <curl-***@cool.haxx.se>
Objet : Problem adding TLS 1.3 support on curl - schannel on Windows 21H2
preview



Hello,

I have installed Windows 2022 preview (same base than future Windows 10
21H2)



With this version, software that call wininet download use TLS 1.3

Internet explorer 11 (after checking TLS 1.3 in options) also uses TLS 1.3

https://tls13.akamai.io/ website tell TLS_AES_256_GCM_SHA384 cipher is used,
both by internet explorer or a wininet download.



I tried add support of TLS 1.3 on curl schannel, by adding constant
SP_PROT_TLS1_3_CLIENT from current Windows SDK

But when I run

curl https://tls13.akamai.io/ --tlsv1.3



I got error:

schannel: AcquireCredentialsHandle failed: SEC_E_ALGORITHM_MISMATCH
(0x80090331) - The client and server cannot communicate, because they do not
possess a common algorithm.





Any idea?



Regards

Gilles Vollant



https://github.com/gvollant/curl/tree/gv_schannel_tls13



https://github.com/curl/curl/discussions/6958



https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in
-windows-server-2022



https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserve
r

Hi,

I pulled your branch and gave it a quick test on current Windows 10. I
saw the same behavior you did.

On Apr 29 2021, at 3:45 am, Gilles Vollant via curl-library
That was happening because TLSv1.3 is disabled by default on my system.

Adding the following to the registry caused it to be enabled:

```
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
```

Once I did that, I ran into a new error:

"schannel: can't renegotiate, encrypted data available."

By commenting out this check:
https://github.com/gvollant/curl/blob/2aff6e13896de391f2487e87f2632d44edb97898/lib/vtls/schannel.c#L1959

I was able to proceed and negotiate a TLS 1.3 connection with the akamai server.

I don't know enough about the schannel backend to propose a correct fix,
though, and that is almost certainly not it.

I hope it helps someone who does know enough see where to look next.

Best,

Geoff
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://