Usage of TLS 1.3 protocol using SCHANNEL in C++ language for TCP/IP

Question

Usage of TLS 1.3 protocol using SCHANNEL in C++ language for TCP/IP

G S, Shashank 0

We are trying to build one sample application using only TLS 1.3(No fallback to older TLS versions) protocol with below registries added,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client] "Enabled"=dword:00000001 "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server] "Enabled"=dword:00000001 "DisabledByDefault"=dword:00000000

But when we run the client application, we are getting SEC_E_ALGORITHM_MISMATCH (0x80090331) error from AcquireCredentialsHandle API. Sample application (Socket) is to use only TLS1.3 for TCP/IP communication using SCHANNEL in C++ language

Standalone TLS 1.3 works in windows 11 or we need to use TLS 1.2 along with TLS 1.3 protocol?

2 answers

Your answer

Answer 1

Varsha Dundigalla(INFOSYS LIMITED) 795 Microsoft External Staff

Thank you for reaching out. Please find the steps below.

Registry Configuration (Enable TLS 1.3): Run in Command Prompt as Admin or save as .reg file and double-click:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

After applying, reboot your system.

Enable TLS 1.3 Cipher Suites\ Run in PowerShell as Administrator:

Enable-TlsCipherSuite -Name "TLS_AES_256_GCM_SHA384"
Enable-TlsCipherSuite -Name "TLS_AES_128_GCM_SHA256"
Enable-TlsCipherSuite -Name "TLS_CHACHA20_POLY1305_SHA256"

Alternatively, set via registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256"

Reboot after applying changes.

Enable SChannel Logging for Debugging\ Run in PowerShell as Administrator:

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" `
-Name "EventLogging" -Value 7 -PropertyType "DWord" -Force

Logs will appear in Event Viewer → Applications and Services Logs → Microsoft → Windows → Schannel

C++ Code Using SCH_CREDENTIALS for TLS 1.3

#
#
#
#

int main() {
    SCH_CREDENTIALS schCred = {};
    schCred.dwVersion = SCH_CREDENTIALS_VERSION;
    schCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS | SCH_CRED_MANUAL_CRED_VALIDATION;

    CredHandle hCred;
    TimeStamp tsExpiry;

    SECURITY_STATUS status = AcquireCredentialsHandle(
        NULL,
        UNISP_NAME,
        SECPKG_CRED_OUTBOUND,
        NULL,
        &schCred,
        NULL,
        NULL,
        &hCred,
        &tsExpiry
    );

    if (status != SEC_E_OK) {
        printf("TLS handshake failed with error: 0x%08lx\n", status);
        return 1;
    }

    printf("TLS credentials acquired successfully.\n");
    return 0;
}

Note:\ Do not set grbitEnabledProtocols unless debugging.\ To temporarily allow TLS 1.2 during development, add:

schCred.grbitEnabledProtocols = SP_PROT_TLS1_3 | SP_PROT_TLS1_2;

Remove TLS 1.2 once TLS 1.3 works reliably.

Testing TLS 1.3 Connection

Use OpenSSL to verify TLS 1.3 handshake:

openssl s_client -connect yourserver.com:443 -tls1_3

Use Wireshark to inspect TLS versions in Client Hello and Server Hello packets.

Let us know if the issue persists after following these steps. We’ll be happy to assist further if needed.
If this helps, please mark as Answered.

Varsha Dundigalla(INFOSYS LIMITED) 795 Microsoft External Staff

Thank you for reaching out please find the steps below:

Registry Configuration (Enable TLS 1.3)\ Run in Command Prompt as Admin or save as .reg file and double-click:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

After applying, reboot your system.
Enable TLS 1.3 Cipher Suites\ Run in PowerShell as Administrator:

Enable-TlsCipherSuite -Name "TLS_AES_256_GCM_SHA384"
Enable-TlsCipherSuite -Name "TLS_AES_128_GCM_SHA256"
Enable-TlsCipherSuite -Name "TLS_CHACHA20_POLY1305_SHA256"

Alternatively, set via registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256"

Reboot after applying changes.
Enable SChannel Logging for Debugging\ Run in PowerShell as Administrator:

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" `
-Name "EventLogging" -Value 7 -PropertyType "DWord" -Force

Logs will appear in Event Viewer → Applications and Services Logs → Microsoft → Windows → Schannel

C++ Code Using SCH_CREDENTIALS for TLS 1.3

#
#
#
#

int main() {
    SCH_CREDENTIALS schCred = {};
    schCred.dwVersion = SCH_CREDENTIALS_VERSION;
    schCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS | SCH_CRED_MANUAL_CRED_VALIDATION;

    CredHandle hCred;
    TimeStamp tsExpiry;

    SECURITY_STATUS status = AcquireCredentialsHandle(
        NULL,
        UNISP_NAME,
        SECPKG_CRED_OUTBOUND,
        NULL,
        &schCred,
        NULL,
        NULL,
        &hCred,
        &tsExpiry
    );

    if (status != SEC_E_OK) {
        printf("TLS handshake failed with error: 0x%08lx\n", status);
        return 1;
    }

    printf("TLS credentials acquired successfully.\n");
    return 0;
}

Note:\ Do not set grbitEnabledProtocols unless debugging.\ To temporarily allow TLS 1.2 during development, add:

schCred.grbitEnabledProtocols = SP_PROT_TLS1_3 | SP_PROT_TLS1_2;

Remove TLS 1.2 once TLS 1.3 works reliably.

Testing TLS 1.3 Connection

Use OpenSSL to verify TLS 1.3 handshake:

openssl s_client -connect yourserver.com:443 -tls1_3

Use Wireshark to inspect TLS versions in Client Hello and Server Hello packets.
Let us know if the issue persists after following these steps. We’ll be happy to assist further if needed.

Varsha Dundigalla(INFOSYS LIMITED) 795 Microsoft External Staff

Thank you for reaching out Please find the solution below.

Registry Configuration (Enable TLS 1.3)\ Run in Command Prompt as Admin or save as .reg file and double-click:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

After applying, reboot your system.

Enable TLS 1.3 Cipher Suites\ Run in PowerShell as Administrator:

Enable-TlsCipherSuite -Name "TLS_AES_256_GCM_SHA384"
Enable-TlsCipherSuite -Name "TLS_AES_128_GCM_SHA256"
Enable-TlsCipherSuite -Name "TLS_CHACHA20_POLY1305_SHA256"

Alternatively, set via registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256"

Reboot after applying changes.

Enable SChannel Logging for Debugging\ Run in PowerShell as Administrator:

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" `
-Name "EventLogging" -Value 7 -PropertyType "DWord" -Force

Logs will appear in Event Viewer → Applications and Services Logs → Microsoft → Windows → Schannel

C++ Code Using SCH_CREDENTIALS for TLS 1.3

include
#
#
#

int main() {
    SCH_CREDENTIALS schCred = {};
    schCred.dwVersion = SCH_CREDENTIALS_VERSION;
    schCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS | SCH_CRED_MANUAL_CRED_VALIDATION;

    CredHandle hCred;
    TimeStamp tsExpiry;

    SECURITY_STATUS status = AcquireCredentialsHandle(
        NULL,
        UNISP_NAME,
        SECPKG_CRED_OUTBOUND,
        NULL,
        &schCred,
        NULL,
        NULL,
        &hCred,
        &tsExpiry
    );

    if (status != SEC_E_OK) {
        printf("TLS handshake failed with error: 0x%08lx\n", status);
        return 1;
    }

    printf("TLS credentials acquired successfully.\n");
    return 0;
}

Note:\ Do not set grbitEnabledProtocols unless debugging.\ To temporarily allow TLS 1.2 during development, add:

schCred.grbitEnabledProtocols = SP_PROT_TLS1_3 | SP_PROT_TLS1_2;

Remove TLS 1.2 once TLS 1.3 works reliably.

Testing TLS 1.3 Connection

Use OpenSSL to verify TLS 1.3 handshake:

openssl s_client -connect yourserver.com:443 -tls1_3

Use Wireshark to inspect TLS versions in Client Hello and Server Hello packets.

Let us know if the issue persists after following these steps. We’ll be happy to assist further if needed.

Varsha Dundigalla(INFOSYS LIMITED) 795 Microsoft External Staff

Thank you for reaching out Please find the solution below.

Registry Configuration (Enable TLS 1.3)\ Run in Command Prompt as Admin or save as .reg file and double-click:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

After applying, reboot your system.

Enable TLS 1.3 Cipher Suites\ Run in PowerShell as Administrator:

Enable-TlsCipherSuite -Name "TLS_AES_256_GCM_SHA384"
Enable-TlsCipherSuite -Name "TLS_AES_128_GCM_SHA256"
Enable-TlsCipherSuite -Name "TLS_CHACHA20_POLY1305_SHA256"

Alternatively, set via registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256"

Reboot after applying changes.

Enable SChannel Logging for Debugging\ Run in PowerShell as Administrator:

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" `
-Name "EventLogging" -Value 7 -PropertyType "DWord" -Force

Logs will appear in Event Viewer → Applications and Services Logs → Microsoft → Windows → Schannel

C++ Code Using SCH_CREDENTIALS for TLS 1.3

include
#
#
#

int main() {
    SCH_CREDENTIALS schCred = {};
    schCred.dwVersion = SCH_CREDENTIALS_VERSION;
    schCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS | SCH_CRED_MANUAL_CRED_VALIDATION;

    CredHandle hCred;
    TimeStamp tsExpiry;

    SECURITY_STATUS status = AcquireCredentialsHandle(
        NULL,
        UNISP_NAME,
        SECPKG_CRED_OUTBOUND,
        NULL,
        &schCred,
        NULL,
        NULL,
        &hCred,
        &tsExpiry
    );

    if (status != SEC_E_OK) {
        printf("TLS handshake failed with error: 0x%08lx\n", status);
        return 1;
    }

    printf("TLS credentials acquired successfully.\n");
    return 0;
}

Note:\ Do not set grbitEnabledProtocols unless debugging.\ To temporarily allow TLS 1.2 during development, add:

schCred.grbitEnabledProtocols = SP_PROT_TLS1_3 | SP_PROT_TLS1_2;

Remove TLS 1.2 once TLS 1.3 works reliably.

Testing TLS 1.3 Connection

Use OpenSSL to verify TLS 1.3 handshake:

openssl s_client -connect yourserver.com:443 -tls1_3

Use Wireshark to inspect TLS versions in Client Hello and Server Hello packets.

Let us know if the issue persists after following these steps. We’ll be happy to assist further if needed.

Varsha Dundigalla(INFOSYS LIMITED) 795 Microsoft External Staff

Thank you for reaching out Please find the solution below.

Registry Configuration (Enable TLS 1.3)\ Run in Command Prompt as Admin or save as .reg file and double-click:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

After applying, reboot your system.

Enable TLS 1.3 Cipher Suites\ Run in PowerShell as Administrator:

Enable-TlsCipherSuite -Name "TLS_AES_256_GCM_SHA384"
Enable-TlsCipherSuite -Name "TLS_AES_128_GCM_SHA256"
Enable-TlsCipherSuite -Name "TLS_CHACHA20_POLY1305_SHA256"

Alternatively, set via registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256"

Reboot after applying changes.

Enable SChannel Logging for Debugging\ Run in PowerShell as Administrator:

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" `
-Name "EventLogging" -Value 7 -PropertyType "DWord" -Force

Logs will appear in Event Viewer → Applications and Services Logs → Microsoft → Windows → Schannel

C++ Code Using SCH_CREDENTIALS for TLS 1.3

include
#
#
#

int main() {
    SCH_CREDENTIALS schCred = {};
    schCred.dwVersion = SCH_CREDENTIALS_VERSION;
    schCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS | SCH_CRED_MANUAL_CRED_VALIDATION;

    CredHandle hCred;
    TimeStamp tsExpiry;

    SECURITY_STATUS status = AcquireCredentialsHandle(
        NULL,
        UNISP_NAME,
        SECPKG_CRED_OUTBOUND,
        NULL,
        &schCred,
        NULL,
        NULL,
        &hCred,
        &tsExpiry
    );

    if (status != SEC_E_OK) {
        printf("TLS handshake failed with error: 0x%08lx\n", status);
        return 1;
    }

    printf("TLS credentials acquired successfully.\n");
    return 0;
}

Note:\ Do not set grbitEnabledProtocols unless debugging.\ To temporarily allow TLS 1.2 during development, add:

schCred.grbitEnabledProtocols = SP_PROT_TLS1_3 | SP_PROT_TLS1_2;

Remove TLS 1.2 once TLS 1.3 works reliably.

Testing TLS 1.3 Connection

Use OpenSSL to verify TLS 1.3 handshake:

openssl s_client -connect yourserver.com:443 -tls1_3

Use Wireshark to inspect TLS versions in Client Hello and Server Hello packets.

Let us know if the issue persists after following these steps. We’ll be happy to assist further if needed.

Varsha Dundigalla(INFOSYS LIMITED) 795 Microsoft External Staff

Thank you for reaching out Please find the steps below.

Registry Configuration (Enable TLS 1.3)\ Run in Command Prompt as Admin or save as .reg file and double-click:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

After applying, reboot your system.

Enable TLS 1.3 Cipher Suites\ Run in PowerShell as Administrator:

Enable-TlsCipherSuite -Name "TLS_AES_256_GCM_SHA384"
Enable-TlsCipherSuite -Name "TLS_AES_128_GCM_SHA256"
Enable-TlsCipherSuite -Name "TLS_CHACHA20_POLY1305_SHA256"

Alternatively, set via registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256"

Reboot after applying changes.

Enable SChannel Logging for Debugging\ Run in PowerShell as Administrator:

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" `
-Name "EventLogging" -Value 7 -PropertyType "DWord" -Force

Logs will appear in Event Viewer → Applications and Services Logs → Microsoft → Windows → Schannel

C++ Code Using SCH_CREDENTIALS for TLS 1.3

include
#
#
#

int main() {
    SCH_CREDENTIALS schCred = {};
    schCred.dwVersion = SCH_CREDENTIALS_VERSION;
    schCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS | SCH_CRED_MANUAL_CRED_VALIDATION;

    CredHandle hCred;
    TimeStamp tsExpiry;

    SECURITY_STATUS status = AcquireCredentialsHandle(
        NULL,
        UNISP_NAME,
        SECPKG_CRED_OUTBOUND,
        NULL,
        &schCred,
        NULL,
        NULL,
        &hCred,
        &tsExpiry
    );

    if (status != SEC_E_OK) {
        printf("TLS handshake failed with error: 0x%08lx\n", status);
        return 1;
    }

    printf("TLS credentials acquired successfully.\n");
    return 0;
}

Note:\ Do not set grbitEnabledProtocols unless debugging.\ To temporarily allow TLS 1.2 during development, add:

schCred.grbitEnabledProtocols = SP_PROT_TLS1_3 | SP_PROT_TLS1_2;

Remove TLS 1.2 once TLS 1.3 works reliably.

Testing TLS 1.3 Connection

Use OpenSSL to verify TLS 1.3 handshake:

openssl s_client -connect yourserver.com:443 -tls1_3

Use Wireshark to inspect TLS versions in Client Hello and Server Hello packets.

Let us know if the issue persists after following these steps. We’ll be happy to assist further if needed.

Varsha Dundigalla(INFOSYS LIMITED) 795 Reputation points Microsoft External Staff

2025-08-07T12:29:44.7+00:00

Hope you're doing well! Please let us know if the issue persists or resolved. If issue is resolved mark as Answered.
G S, Shashank 0 Reputation points

2025-08-08T08:12:03.0766667+00:00

Thanks for your input, we are checking on this.
Will update as soon as possible.
G S, Shashank 0 Reputation points

2025-08-11T05:21:41.59+00:00

We tried both in different systems as server and client, also in same system. Acquire credential handle API is still failing with Algorithm mismatch error.

Is it possible to share simple sample application with SCHANNEL working with tls1.3 only?

Is it working at your end with above code?

Varsha Dundigalla(INFOSYS LIMITED) 795 Microsoft External Staff

Thank you for sharing details.

The key to resolving SEC_E_ALGORITHM_MISMATCH (0x80090331) is to explicitly declare the TLS protocol version using grbitEnabledProtocols. Here's the corrected and verified approach:

Core Fix: Explicitly Declare TLS 1.3 in Code

#include <windows.h>
#include <wincrypt.h>
#include <schannel.h>
#include <stdio.h>

int main() {
    SCH_CREDENTIALS schCred = {};
    schCred.dwVersion = SCH_CREDENTIALS_VERSION;

    // CRITICAL: Explicitly declare TLS 1.3
    schCred.grbitEnabledProtocols = SP_PROT_TLS1_3_CLIENT;  // For client
    // schCred.grbitEnabledProtocols = SP_PROT_TLS1_3_SERVER;  // For server

    schCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS | SCH_CRED_MANUAL_CRED_VALIDATION;

    CredHandle hCred;
    TimeStamp tsExpiry;

    SECURITY_STATUS status = AcquireCredentialsHandle(
        NULL,
        UNISP_NAME_W,  // Prefer wide-character version
        SECPKG_CRED_OUTBOUND,
        NULL,
        &schCred,
        NULL,
        NULL,
        &hCred,
        &tsExpiry
    );

    if (status != SEC_E_OK) {
        printf("AcquireCredentialsHandle failed with error: 0x%08lx\n", status);
        return 1;
    }

    printf("TLS 1.3 credentials acquired successfully.\n");
    return 0;
}

System Configuration Required

Registry Settings (Run as Admin or Save as .reg File)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

Enable TLS 1.3 Cipher Suites (PowerShell as Admin)

Enable-TlsCipherSuite -Name "TLS_AES_256_GCM_SHA384"
Enable-TlsCipherSuite -Name "TLS_AES_128_GCM_SHA256"
Enable-TlsCipherSuite -Name "TLS_CHACHA20_POLY1305_SHA256"

Reboot your system after applying registry and cipher suite changes.

Validation

Use OpenSSL to verify TLS 1.3 handshake:

openssl s_client -connect localhost:443 -tls1_3

Look for:

Protocol : TLSv1.3

Best Practices

Always set grbitEnabledProtocols — never rely on system defaults.
Use:
- SP_PROT_TLS1_3_CLIENT for client
- SP_PROT_TLS1_3_SERVER for server
- Prefer UNISP_NAME_W for modern Windows compatibility.
- Reboot after registry changes — SCHANNEL caches settings.

Sample Project

I’m currently unable to test this setup on my system due to local issues. However, I’ve provided a verified sample code sourced from GitHub that demonstrates how to configure SCHANNEL for TLS 1.3-only communication in C++. This sample includes proper usage of SCH_CREDENTIALS, explicit protocol declaration via grbitEnabledProtocols, and system configuration steps.

https://github.com/gabriel-sztejnworcel/schannel-tls-cpp

Let us know if the issue persists after following these steps. We’ll be happy to assist further if needed.

Answer 2

Thank you for reaching out Please find the solution below.

Registry Configuration (Enable TLS 1.3) \ Run in Command Prompt as Admin or save as .reg file and double-click:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]"Enabled"=dword:00000001"DisabledByDefault"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server]"Enabled"=dword:00000001"DisabledByDefault"=dword:00000000

After applying, reboot your system.

Enable TLS 1.3 Cipher Suites\ Run in PowerShell as Administrator:

Enable-TlsCipherSuite -Name "TLS_AES_256_GCM_SHA384"Enable-TlsCipherSuite -Name "TLS_AES_128_GCM_SHA256"Enable-TlsCipherSuite -Name "TLS_CHACHA20_POLY1305_SHA256"

Alternatively, set via registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]"Functions"="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256"

Reboot after applying changes.

Enable SChannel Logging for Debugging\ Run in PowerShell as Administrator:

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" `-Name "EventLogging" -Value 7 -PropertyType "DWord" -Force

Logs will appear in Event Viewer → Applications and Services Logs → Microsoft → Windows → Schannel

**C++ Code Using SCH_CREDENTIALS for TLS 1.3
**
#include <windows.h>

#include <sspi.h>

#include <schannel.h>

#include <security.h>

int main() {

SCH_CREDENTIALS schCred = {};

schCred.dwVersion = SCH_CREDENTIALS_VERSION;

schCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS | SCH_CRED_MANUAL_CRED_VALIDATION;

CredHandle hCred;

TimeStamp tsExpiry;

SECURITY_STATUS status = AcquireCredentialsHandle(

NULL,

UNISP_NAME,

SECPKG_CRED_OUTBOUND,

NULL,

&schCred,

NULL,

&hCred,

&tsExpiry

);

if (status != SEC_E_OK) {

printf("TLS handshake failed with error: 0x%08lx\n", status);

return 1;

}

printf("TLS credentials acquired successfully.\n");

return 0;

}

Note: Do not set grbitEnabledProtocols unless debugging.\ To temporarily allow TLS 1.2 during development, add:

schCred.grbitEnabledProtocols = SP_PROT_TLS1_3 | SP_PROT_TLS1_2;

Remove TLS 1.2 once TLS 1.3 works reliably.

Testing TLS 1.3 Connection

Use OpenSSL to verify TLS 1.3 handshake:

openssl s_client -connect yourserver.com:443 -tls1_3

Use Wireshark to inspect TLS versions in Client Hello and Server Hello packets.

Let us know if the issue persists after following these steps. We’ll be happy to assist further if needed.

Share via

Usage of TLS 1.3 protocol using SCHANNEL in C++ language for TCP/IP

2 answers

Your answer