-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Requiring TLS 1.3 results in LSA error on Windows 10 21H1 for SslStream #53537
Comments
Tagging subscribers to this area: @dotnet/ncl, @vcsjones Issue DetailsDescriptionSteps to reproduce: It seems that if I explicitly use
It will fail for me with:
If I change ConfigurationReproduces on .NET 5 and .NET 6 Preview 4.
|
Triage: Likely problem in the OS. We should confirm and send it over. |
can you try it on Server2022+ @vcsjones ? I took it to Schannel team and I was told that 21H1 is unsupported platform. |
Ah. Hmm. I apparently had the wrong impression on that. I thought it was "supported but off by default". Will try and report back. |
I'm trying to clarify. It seems like 21H1 is missing from the table here https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp- |
@wfurt Ohhh. I looked at this doc a long time ago and it used to say 21H1, which is probably why I was given that impression. It appears to have changed a few months ago. MicrosoftDocs/win32@45fe995#diff-93e62a5793d2a9571e3d97b3d5452653a0d6d9385e1bcee53c28d5cf369206c7 |
Thanks. I'm trying to clarify as well. Do you have repro to particular server or is that pretty consistent? I saw something similar while back running .NET test suite so I'll try to collect more insight. |
|
@wfurt what is the next step here? |
Can you get Schannel traces @vcsjones and/or try in on 22 server? I see something similar on supported os but for me it is somewhat rare and non-deterministic. |
@wfurt will do; might take me a day or two to find the time. Sorry and thanks y'all for the patience! |
That is ok. There is some interest from Schannel team and it may help them to improve the product. |
I can't get it to reproduce on Windows Server 2022 Preview. I'll close this then and if I find anything that does reproduce on Windows Server 2022 I will re-open or raise a new issue. |
Description
Steps to reproduce:
It seems that if I explicitly use
SslProtocols.Tls13
when authenticating as a client, I get "Win32Exception (0x80090304): The Local Security Authority cannot be contacted". If I do not explicitly set theSslProtocols
, it will successfully negotiate TLSv1.3.Enable TLSv1.3 on Windows 10 21H1 (Build 19043.985), reboot.
I did this with:
Run the following snippet:
It will fail for me with:
If I change
AuthenticateAsClientAsync
toawait sslStream.AuthenticateAsClientAsync("github.com");
by removing the explicit protocol configuration, it does not fail and correctly negotiates TLSv1.3.Configuration
Reproduces on .NET 5 and .NET 6 Preview 4.
The text was updated successfully, but these errors were encountered: