We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

IIS 10 TLS 1.3 supportRSS

7 replies

Last post Sep 22, 2020 08:59 PM by nzakhil

  • IIS 10 TLS 1.3 support

    May 30, 2020 01:37 PM|tbuckingham|LINK

    We currently have a customer is looking to submit orders to us via our standard API but they are requiring us to enable and support TLS 1.3 which currently appears to no be supported in Server 2016/Server 2019.

    Has anyone had success with adding TLS 1.3 in the registry and being able to accept requests? We have asked them to fall back to TLS 1.2 but for them its not an option.

  • Rovastar Rovastar

    5495 Posts

    MVP

    Moderator

    Re: IIS 10 TLS 1.3 support

    May 31, 2020 12:26 AM|Rovastar|LINK

    TLS 1.3 is not available yet for any version of windows server.
    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: IIS 10 TLS 1.3 support

    Jun 01, 2020 07:24 AM|Yuk Ding|LINK

    Hi tbuckingham,

    IIS  rely on Schannel. However, no windows server version has supported TLS 1.3 in schannel.

     https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3

    If TLS 1.3 is required, please use OpenSSL library instead. If there is any update with windows server schannel, we will let you know as soon as possible.

    Best Regards,

    Jokies Ding

    Yuk Ding

    MSDN Community Support
    Please remember to "Mark as Answer" the responses that resolved your issue.
  • Re: IIS 10 TLS 1.3 support

    Jun 12, 2020 02:55 AM|tbuckingham|LINK

    Yuk Ding

    Hi tbuckingham,

    IIS  rely on Schannel. However, no windows server version has supported TLS 1.3 in schannel.

     https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3

    If TLS 1.3 is required, please use OpenSSL library instead. If there is any update with windows server schannel, we will let you know as soon as possible.

    Best Regards,

    Jokies Ding

    So if I generate a request in OpenSSL I can then used the signed certificate I imported into IIS 10 (Server 2019) and enable TLS 1.3 Schannel and ciphers?

    I'm not finding a lot of information around OpenSSL paired with an IIS server.

  • Re: IIS 10 TLS 1.3 support

    Jun 12, 2020 06:00 AM|lextm|LINK

    tbuckingham

    So if I generate a request in OpenSSL I can then used the signed certificate I imported into IIS 10 (Server 2019) and enable TLS 1.3 Schannel and ciphers?

    No. That's impossible.

    "Using OpenSSL" means your application has to be fully on OpenSSL (like many open source projects, Apache/nginx/wget and so on) and does not use Windows TLS implementation at all.

    If you have to use any Windows built-in support, then TLS 1.2 is the only feasible option right now.

    Lex Li
    Want to have a chat on the issues you meet? Book an appointment at https://buy.stripe.com/cN24ia0yi7sAdIA7sv
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: IIS 10 TLS 1.3 support

    Jun 16, 2020 12:52 PM|tbuckingham|LINK

    Since we have already developed the application for .NET and IIS services using OpenSSL is currently no an option for us. I noticed that Microsoft lists Server Core 1903 as capable of supporting TLS 1.3 in a non-production environment so I started down this route and have the server running with the IIS 10 role and features.

    I enabled TLS 1.3 server and client SCHANNEL registry keys, imported a certificate, and assigned it (bind) it to the website https address but clients fail to connect.

    The documentation from Microsoft appears to be lacking on implementation.

  • Re: IIS 10 TLS 1.3 support

    Jun 16, 2020 03:59 PM|lextm|LINK

    tbuckingham

    noticed that Microsoft lists Server Core 1903 as capable of supporting TLS 1.3 in a non-production environment so I started down this route and have the server running with the IIS 10 role and features.

    Don't waste your time on that. Microsoft's TLS 1.3 on that OS is broken and not interoperable with any other TLS 1.3 tooling.

    Wait till they fix that please.

    Lex Li
    Want to have a chat on the issues you meet? Book an appointment at https://buy.stripe.com/cN24ia0yi7sAdIA7sv
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: IIS 10 TLS 1.3 support

    Sep 22, 2020 08:59 PM|nzakhil|LINK

    Any update here?