我正在处理一个TLS客户端,该客户端需要升级才能在Windows-11上使用TLS 1.3。是否有人使用SChannel API成功实现了TLS 1.3?
根据微软下面的链接TLS 1.3在win-11&服务器-2022
https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-
为TLS1.3添加了以下代码片段:
#define SECURITY_PROTOCOL_TLSV13 0x00
securityInfo->bySecurityProtocol = SECURITY_PROTOCOL_TLSV13;
sChannelCred->grbitEnabledProtocols =SP_PROT_TLS1_3_CLIENT;
status = pMyFunTab->**AcquireCredentialsHandleA**(NULL, UNISP_NAME_A, SECPKG_CRED_OUTBOUND, NULL, &sChannelCred, NULL, NULL, phCred, &ts);
返回状态=SEC_E_ALGORITHM_MISMATCH(0x80090331(
**error details: Secure connection failed. An error occurred while trying to connect to the host, error code 0x80090331. The client and server cannot communicate, because they do not possess a common algorithm.**
api链接:
https://learn.microsoft.com/en-us/windows/win32/api/sspi/nf-sspi-acquirecredentialshandleahttps://github.com/MicrosoftDocs/win32/blob/docs/desktop-src/SecAuthN/acquirecredentialshandle--schannel.md
尝试以下更改以修复该问题:
Windows版本测试使用:windows 11 21h2 os build 22000.434
注册表更改:如下链接所示:如何在windows 10 中启用TLS 1.3
任何建议或截取的C++代码的小样本都是值得赞赏的,以及任何可能帮助我了解客户问题的建议。
仅供参考:我没有使用CURL LIB
谢谢
问候:Ajay Jaiswal
Gilles,您是否在Win10或Win11上尝试过使用schannel作为SSL后端的最新curl 7.81.0?下面是我看到的。
curl -vI --tls-max 1.3 https://www.google.com
* Trying 142.251.35.164:443...
* Connected to www.google.com (142.251.35.164) port 443 (#0)
* schannel: disabled automatic use of client certificate
* schannel: TLS 1.3 is not yet supported
* Closing connection 0
curl: (35) schannel: TLS 1.3 is not yet supported
我在Win11中遇到了同样的问题,但下面的代码在Win10中也能工作。请注意,TLS 1.3已在我的Win11注册表中启用。
SCHANNEL_CRED SchannelCred;
CredHandle hClientCreds;
TimeStamp tsExpiry;
PSecurityFunctionTable sspi = InitSecurityInterface();
ZeroMemory(&SchannelCred, sizeof(SchannelCred));
SchannelCred.dwVersion = SCHANNEL_CRED_VERSION;
SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_3_CLIENT;
SchannelCred.dwFlags |= SCH_CRED_MANUAL_CRED_VALIDATION | SCH_CRED_NO_DEFAULT_CREDS | SCH_USE_STRONG_CRYPTO;
SECURITY_STATUS Status = sspi->AcquireCredentialsHandle(NULL,
(SEC_CHAR*)UNISP_NAME_A,
SECPKG_CRED_OUTBOUND,
NULL,
&SchannelCred,
NULL,
NULL,
&hClientCreds,
&tsExpiry);
后来,发现在Win11中TLS 1.3需要使用SCH_CREDENTIALS结构,而不是SCHANNEL_CRED结构。
schannel tls 1.3支持时有一个卷曲拉动请求
你可以看看https://github.com/curl/curl/pull/7784