IIS 7 and Above
TLS 1.2 - session resumpotion
Last post Jul 12, 2018 09:02 AM by deepakpanchal10
Jul 09, 2018 09:30 AM|Michal Machniak|LINK
Is there a way to make TLS ticket session resumption working on Window 2016 ? No it only works on TLS 1.1
Jul 12, 2018 09:02 AM|deepakpanchal10|LINK
Hi Michal ,
In TLS 1.2, the client uses the
"signature_algorithms" extension to indicate to the server which signature/hash algorithm pairs may be used in digital signatures (i.e., server certificates and server key exchange). The TLS 1.2 RFC also requires that the server Certificate message honor
"If the client provided a "signature_algorithms" extension, then all certificates provided by the server MUST be signed by a hash/signature algorithm pair that appears in that extension."
In practice, some third-party TLS clients do not comply with the TLS 1.2 RFC and fail to include all the signature and hash algorithm pairs they are willing to accept in the "signature_algorithms" extension, or omit the extension altogether (the
latter indicates to the server that the client only supports SHA1 with RSA, DSA or ECDSA).
A TLS server often only has one certificate configured per endpoint, which means the server can’t always supply a certificate that meets the client’s requirements.
Prior to Windows 10 and Windows Server 2016, the Windows TLS stack strictly adhered to the TLS 1.2 RFC requirements, resulting in connection failures with RFC non-compliant TLS clients and interoperability issues. In Windows 10 and Windows Server
2016, the constraints are relaxed and the server can send a certificate that does not comply with TLS 1.2 RFC, if that’s the server’s only option. The client may then continue or terminate the handshake.
When validating server and client certificates, the Windows TLS stack strictly complies with the TLS 1.2 RFC and only allows the negotiated signature and hash algorithms in the server and client certificates.
I suggest you to refer article below to get detailed information regarding TLS 1.2 changes.
TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016