Archived

This forum has been archived. Please start a new discussion on GitHub.

Does TLS 1.3 work with a Windows 10 client in Ice 3.7.2

We have a customer that wants to use TLS 1.3 with our software. I'm able to establish a connection between Linux systems with TLS 1.3 and I can connect a Linux client to a Windows server using TLS 1.3. I'm not able to connect a Windows client to either a Windows or Linux server using TLS 1.3. Is there a known issue?

Microsoft isn't entirely clear about what is needed to get TLS 1.3 enabled. I'm using Win 10 20H2. I have a registry change to enable TLS 1.3 for both the client and server on the Windows system. Since I can connect to the server running on Windows with TLS 1.3, I believe TLS 1.3 must be working in our version of Ice. When I try to use the Windows 10 client, I see a message from Ice showing that a TLS 1.3 connection is accepted and then something closes the connection.

Sorry if this is a repeat of a previous question. I tried to search the forum and was not able to get search to work.

Thanks

Comments

  • xdm
    xdm La Coruña, Spain

    Hi Roy,

    I was mistakenly thinking that this should work in recent Windows 10 versions, but according to this Microsoft doc is not supported.

    https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-

    Seems it is only in Windows Server 2022, I will check if I can find any more info on this.

  • xdm
    xdm La Coruña, Spain

    Hi Roy,

    We have a customer that wants to use TLS 1.3 with our software. I'm able to establish a connection between Linux systems with TLS 1.3 and I can connect a Linux client to a Windows server using TLS 1.3

    I'm a bit surprised that this works for you, are you sure the connection is using TLS1.3, try setting IceSSL.Trace.Security=1 in both client and server to see what protocol they negotiate, you can also set IceSSL.Protocols=tls1_3 in the client to force using this protocol

    I did some testing with Win 10 20H2 but this doesn't seem to work, seems this is supported with preview version 20170 see https://www.microsoft.com/security/blog/2020/08/20/taking-transport-layer-security-tls-to-the-next-level-with-tls-1-3/

    I think we will have to update IceSSL to use the new credentials API SCH_CREDENTIALS and one issue is that this API is not compatible with old Windows versions so we will probably need a separate IceSSL build to support tls1.3

  • Thanks. I really appreciate the help.