Archived
Does TLS 1.3 work with a Windows 10 client in Ice 3.7.2
We have a customer that wants to use TLS 1.3 with our software. I'm able to establish a connection between Linux systems with TLS 1.3 and I can connect a Linux client to a Windows server using TLS 1.3. I'm not able to connect a Windows client to either a Windows or Linux server using TLS 1.3. Is there a known issue?
Microsoft isn't entirely clear about what is needed to get TLS 1.3 enabled. I'm using Win 10 20H2. I have a registry change to enable TLS 1.3 for both the client and server on the Windows system. Since I can connect to the server running on Windows with TLS 1.3, I believe TLS 1.3 must be working in our version of Ice. When I try to use the Windows 10 client, I see a message from Ice showing that a TLS 1.3 connection is accepted and then something closes the connection.
Sorry if this is a repeat of a previous question. I tried to search the forum and was not able to get search to work.
Thanks
Comments
-
Hi Roy,
I was mistakenly thinking that this should work in recent Windows 10 versions, but according to this Microsoft doc is not supported.
https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-
Seems it is only in Windows Server 2022, I will check if I can find any more info on this.
0 -
Hi Roy,
We have a customer that wants to use TLS 1.3 with our software. I'm able to establish a connection between Linux systems with TLS 1.3 and I can connect a Linux client to a Windows server using TLS 1.3
I'm a bit surprised that this works for you, are you sure the connection is using TLS1.3, try setting
IceSSL.Trace.Security=1
in both client and server to see what protocol they negotiate, you can also setIceSSL.Protocols=tls1_3
in the client to force using this protocolI did some testing with Win 10 20H2 but this doesn't seem to work, seems this is supported with preview version 20170 see https://www.microsoft.com/security/blog/2020/08/20/taking-transport-layer-security-tls-to-the-next-level-with-tls-1-3/
I think we will have to update IceSSL to use the new credentials API
SCH_CREDENTIALS
and one issue is that this API is not compatible with old Windows versions so we will probably need a separate IceSSL build to support tls1.30 -
Thanks. I really appreciate the help.
0