We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

TLS 1.2 - session resumpotionRSS

1 reply

Last post Jul 12, 2018 09:02 AM by deepakpanchal10

  • TLS 1.2 - session resumpotion

    Jul 09, 2018 09:30 AM|Michal Machniak|LINK


    Is there a way to make TLS ticket session resumption working on Window 2016 ? No it only works on TLS 1.1

  • Re: TLS 1.2 - session resumpotion

    Jul 12, 2018 09:02 AM|deepakpanchal10|LINK

    Hi Michal ,

    In TLS 1.2, the client uses the "signature_algorithms" extension to indicate to the server which signature/hash algorithm pairs may be used in digital signatures (i.e., server certificates and server key exchange). The TLS 1.2 RFC also requires that the server Certificate message honor "signature_algorithms" extension:

    "If the client provided a "signature_algorithms" extension, then all certificates provided by the server MUST be signed by a hash/signature algorithm pair that appears in that extension."

    In practice, some third-party TLS clients do not comply with the TLS 1.2 RFC and fail to include all the signature and hash algorithm pairs they are willing to accept in the "signature_algorithms" extension, or omit the extension altogether (the latter indicates to the server that the client only supports SHA1 with RSA, DSA or ECDSA).

    A TLS server often only has one certificate configured per endpoint, which means the server can’t always supply a certificate that meets the client’s requirements.

    Prior to Windows 10 and Windows Server 2016, the Windows TLS stack strictly adhered to the TLS 1.2 RFC requirements, resulting in connection failures with RFC non-compliant TLS clients and interoperability issues. In Windows 10 and Windows Server 2016, the constraints are relaxed and the server can send a certificate that does not comply with TLS 1.2 RFC, if that’s the server’s only option. The client may then continue or terminate the handshake.

    When validating server and client certificates, the Windows TLS stack strictly complies with the TLS 1.2 RFC and only allows the negotiated signature and hash algorithms in the server and client certificates.

    I suggest you to refer article below to get detailed information regarding TLS 1.2 changes.

    TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016



    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.