Usage of TLS 1.3 protocol using SCHANNEL in C++ language for TCP/IP

Question

Usage of TLS 1.3 protocol using SCHANNEL in C++ language for TCP/IP

G S, Shashank 5

We are trying to build one sample application using only TLS 1.3(No fallback to older TLS versions) protocol with below registries added,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client] "Enabled"=dword:00000001 "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server] "Enabled"=dword:00000001 "DisabledByDefault"=dword:00000000

But when we run the client application, we are getting SEC_E_ALGORITHM_MISMATCH (0x80090331) error from AcquireCredentialsHandle API. Sample application (Socket) is to use only TLS1.3 for TCP/IP communication using SCHANNEL in C++ language

Standalone TLS 1.3 works in windows 11 or we need to use TLS 1.2 along with TLS 1.3 protocol?

5 answers

Your answer

Answer 1

Varsha Dundigalla(INFOSYS LIMITED) 1,110 Microsoft External Staff

Thank you for reaching out. Please find the steps below.

Registry Configuration (Enable TLS 1.3): Run in Command Prompt as Admin or save as .reg file and double-click:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

After applying, reboot your system.

Enable TLS 1.3 Cipher Suites\ Run in PowerShell as Administrator:

Enable-TlsCipherSuite -Name "TLS_AES_256_GCM_SHA384"
Enable-TlsCipherSuite -Name "TLS_AES_128_GCM_SHA256"
Enable-TlsCipherSuite -Name "TLS_CHACHA20_POLY1305_SHA256"

Alternatively, set via registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256"

Reboot after applying changes.

Enable SChannel Logging for Debugging\ Run in PowerShell as Administrator:

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" `
-Name "EventLogging" -Value 7 -PropertyType "DWord" -Force

Logs will appear in Event Viewer → Applications and Services Logs → Microsoft → Windows → Schannel

C++ Code Using SCH_CREDENTIALS for TLS 1.3

#
#
#
#

int main() {
    SCH_CREDENTIALS schCred = {};
    schCred.dwVersion = SCH_CREDENTIALS_VERSION;
    schCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS | SCH_CRED_MANUAL_CRED_VALIDATION;

    CredHandle hCred;
    TimeStamp tsExpiry;

    SECURITY_STATUS status = AcquireCredentialsHandle(
        NULL,
        UNISP_NAME,
        SECPKG_CRED_OUTBOUND,
        NULL,
        &schCred,
        NULL,
        NULL,
        &hCred,
        &tsExpiry
    );

    if (status != SEC_E_OK) {
        printf("TLS handshake failed with error: 0x%08lx\n", status);
        return 1;
    }

    printf("TLS credentials acquired successfully.\n");
    return 0;
}

Note:\ Do not set grbitEnabledProtocols unless debugging.\ To temporarily allow TLS 1.2 during development, add:

schCred.grbitEnabledProtocols = SP_PROT_TLS1_3 | SP_PROT_TLS1_2;

Remove TLS 1.2 once TLS 1.3 works reliably.

Testing TLS 1.3 Connection

Use OpenSSL to verify TLS 1.3 handshake:

openssl s_client -connect yourserver.com:443 -tls1_3

Use Wireshark to inspect TLS versions in Client Hello and Server Hello packets.

Let us know if the issue persists after following these steps. We’ll be happy to assist further if needed.
If this helps, please mark as Answered.

Varsha Dundigalla(INFOSYS LIMITED) 1,110 Microsoft External Staff

Thank you for reaching out please find the steps below:

Registry Configuration (Enable TLS 1.3)\ Run in Command Prompt as Admin or save as .reg file and double-click:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

After applying, reboot your system.
Enable TLS 1.3 Cipher Suites\ Run in PowerShell as Administrator:

Enable-TlsCipherSuite -Name "TLS_AES_256_GCM_SHA384"
Enable-TlsCipherSuite -Name "TLS_AES_128_GCM_SHA256"
Enable-TlsCipherSuite -Name "TLS_CHACHA20_POLY1305_SHA256"

Alternatively, set via registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256"

Reboot after applying changes.
Enable SChannel Logging for Debugging\ Run in PowerShell as Administrator:

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" `
-Name "EventLogging" -Value 7 -PropertyType "DWord" -Force

Logs will appear in Event Viewer → Applications and Services Logs → Microsoft → Windows → Schannel

C++ Code Using SCH_CREDENTIALS for TLS 1.3

#
#
#
#

int main() {
    SCH_CREDENTIALS schCred = {};
    schCred.dwVersion = SCH_CREDENTIALS_VERSION;
    schCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS | SCH_CRED_MANUAL_CRED_VALIDATION;

    CredHandle hCred;
    TimeStamp tsExpiry;

    SECURITY_STATUS status = AcquireCredentialsHandle(
        NULL,
        UNISP_NAME,
        SECPKG_CRED_OUTBOUND,
        NULL,
        &schCred,
        NULL,
        NULL,
        &hCred,
        &tsExpiry
    );

    if (status != SEC_E_OK) {
        printf("TLS handshake failed with error: 0x%08lx\n", status);
        return 1;
    }

    printf("TLS credentials acquired successfully.\n");
    return 0;
}

Note:\ Do not set grbitEnabledProtocols unless debugging.\ To temporarily allow TLS 1.2 during development, add:

schCred.grbitEnabledProtocols = SP_PROT_TLS1_3 | SP_PROT_TLS1_2;

Remove TLS 1.2 once TLS 1.3 works reliably.

Testing TLS 1.3 Connection

Use OpenSSL to verify TLS 1.3 handshake:

openssl s_client -connect yourserver.com:443 -tls1_3

Use Wireshark to inspect TLS versions in Client Hello and Server Hello packets.
Let us know if the issue persists after following these steps. We’ll be happy to assist further if needed.

Varsha Dundigalla(INFOSYS LIMITED) 1,110 Microsoft External Staff

Thank you for reaching out Please find the solution below.

Registry Configuration (Enable TLS 1.3)\ Run in Command Prompt as Admin or save as .reg file and double-click:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

After applying, reboot your system.

Enable TLS 1.3 Cipher Suites\ Run in PowerShell as Administrator:

Enable-TlsCipherSuite -Name "TLS_AES_256_GCM_SHA384"
Enable-TlsCipherSuite -Name "TLS_AES_128_GCM_SHA256"
Enable-TlsCipherSuite -Name "TLS_CHACHA20_POLY1305_SHA256"

Alternatively, set via registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256"

Reboot after applying changes.

Enable SChannel Logging for Debugging\ Run in PowerShell as Administrator:

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" `
-Name "EventLogging" -Value 7 -PropertyType "DWord" -Force

Logs will appear in Event Viewer → Applications and Services Logs → Microsoft → Windows → Schannel

C++ Code Using SCH_CREDENTIALS for TLS 1.3

include
#
#
#

int main() {
    SCH_CREDENTIALS schCred = {};
    schCred.dwVersion = SCH_CREDENTIALS_VERSION;
    schCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS | SCH_CRED_MANUAL_CRED_VALIDATION;

    CredHandle hCred;
    TimeStamp tsExpiry;

    SECURITY_STATUS status = AcquireCredentialsHandle(
        NULL,
        UNISP_NAME,
        SECPKG_CRED_OUTBOUND,
        NULL,
        &schCred,
        NULL,
        NULL,
        &hCred,
        &tsExpiry
    );

    if (status != SEC_E_OK) {
        printf("TLS handshake failed with error: 0x%08lx\n", status);
        return 1;
    }

    printf("TLS credentials acquired successfully.\n");
    return 0;
}

Note:\ Do not set grbitEnabledProtocols unless debugging.\ To temporarily allow TLS 1.2 during development, add:

schCred.grbitEnabledProtocols = SP_PROT_TLS1_3 | SP_PROT_TLS1_2;

Remove TLS 1.2 once TLS 1.3 works reliably.

Testing TLS 1.3 Connection

Use OpenSSL to verify TLS 1.3 handshake:

openssl s_client -connect yourserver.com:443 -tls1_3

Use Wireshark to inspect TLS versions in Client Hello and Server Hello packets.

Let us know if the issue persists after following these steps. We’ll be happy to assist further if needed.

Varsha Dundigalla(INFOSYS LIMITED) 1,110 Microsoft External Staff

Thank you for reaching out Please find the solution below.

Registry Configuration (Enable TLS 1.3)\ Run in Command Prompt as Admin or save as .reg file and double-click:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

After applying, reboot your system.

Enable TLS 1.3 Cipher Suites\ Run in PowerShell as Administrator:

Enable-TlsCipherSuite -Name "TLS_AES_256_GCM_SHA384"
Enable-TlsCipherSuite -Name "TLS_AES_128_GCM_SHA256"
Enable-TlsCipherSuite -Name "TLS_CHACHA20_POLY1305_SHA256"

Alternatively, set via registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256"

Reboot after applying changes.

Enable SChannel Logging for Debugging\ Run in PowerShell as Administrator:

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" `
-Name "EventLogging" -Value 7 -PropertyType "DWord" -Force

Logs will appear in Event Viewer → Applications and Services Logs → Microsoft → Windows → Schannel

C++ Code Using SCH_CREDENTIALS for TLS 1.3

include
#
#
#

int main() {
    SCH_CREDENTIALS schCred = {};
    schCred.dwVersion = SCH_CREDENTIALS_VERSION;
    schCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS | SCH_CRED_MANUAL_CRED_VALIDATION;

    CredHandle hCred;
    TimeStamp tsExpiry;

    SECURITY_STATUS status = AcquireCredentialsHandle(
        NULL,
        UNISP_NAME,
        SECPKG_CRED_OUTBOUND,
        NULL,
        &schCred,
        NULL,
        NULL,
        &hCred,
        &tsExpiry
    );

    if (status != SEC_E_OK) {
        printf("TLS handshake failed with error: 0x%08lx\n", status);
        return 1;
    }

    printf("TLS credentials acquired successfully.\n");
    return 0;
}

Note:\ Do not set grbitEnabledProtocols unless debugging.\ To temporarily allow TLS 1.2 during development, add:

schCred.grbitEnabledProtocols = SP_PROT_TLS1_3 | SP_PROT_TLS1_2;

Remove TLS 1.2 once TLS 1.3 works reliably.

Testing TLS 1.3 Connection

Use OpenSSL to verify TLS 1.3 handshake:

openssl s_client -connect yourserver.com:443 -tls1_3

Use Wireshark to inspect TLS versions in Client Hello and Server Hello packets.

Let us know if the issue persists after following these steps. We’ll be happy to assist further if needed.

Varsha Dundigalla(INFOSYS LIMITED) 1,110 Microsoft External Staff

Thank you for reaching out Please find the solution below.

Registry Configuration (Enable TLS 1.3)\ Run in Command Prompt as Admin or save as .reg file and double-click:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

After applying, reboot your system.

Enable TLS 1.3 Cipher Suites\ Run in PowerShell as Administrator:

Enable-TlsCipherSuite -Name "TLS_AES_256_GCM_SHA384"
Enable-TlsCipherSuite -Name "TLS_AES_128_GCM_SHA256"
Enable-TlsCipherSuite -Name "TLS_CHACHA20_POLY1305_SHA256"

Alternatively, set via registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256"

Reboot after applying changes.

Enable SChannel Logging for Debugging\ Run in PowerShell as Administrator:

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" `
-Name "EventLogging" -Value 7 -PropertyType "DWord" -Force

Logs will appear in Event Viewer → Applications and Services Logs → Microsoft → Windows → Schannel

C++ Code Using SCH_CREDENTIALS for TLS 1.3

include
#
#
#

int main() {
    SCH_CREDENTIALS schCred = {};
    schCred.dwVersion = SCH_CREDENTIALS_VERSION;
    schCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS | SCH_CRED_MANUAL_CRED_VALIDATION;

    CredHandle hCred;
    TimeStamp tsExpiry;

    SECURITY_STATUS status = AcquireCredentialsHandle(
        NULL,
        UNISP_NAME,
        SECPKG_CRED_OUTBOUND,
        NULL,
        &schCred,
        NULL,
        NULL,
        &hCred,
        &tsExpiry
    );

    if (status != SEC_E_OK) {
        printf("TLS handshake failed with error: 0x%08lx\n", status);
        return 1;
    }

    printf("TLS credentials acquired successfully.\n");
    return 0;
}

Note:\ Do not set grbitEnabledProtocols unless debugging.\ To temporarily allow TLS 1.2 during development, add:

schCred.grbitEnabledProtocols = SP_PROT_TLS1_3 | SP_PROT_TLS1_2;

Remove TLS 1.2 once TLS 1.3 works reliably.

Testing TLS 1.3 Connection

Use OpenSSL to verify TLS 1.3 handshake:

openssl s_client -connect yourserver.com:443 -tls1_3

Use Wireshark to inspect TLS versions in Client Hello and Server Hello packets.

Let us know if the issue persists after following these steps. We’ll be happy to assist further if needed.

Varsha Dundigalla(INFOSYS LIMITED) 1,110 Microsoft External Staff

Thank you for reaching out Please find the steps below.

Registry Configuration (Enable TLS 1.3)\ Run in Command Prompt as Admin or save as .reg file and double-click:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

After applying, reboot your system.

Enable TLS 1.3 Cipher Suites\ Run in PowerShell as Administrator:

Enable-TlsCipherSuite -Name "TLS_AES_256_GCM_SHA384"
Enable-TlsCipherSuite -Name "TLS_AES_128_GCM_SHA256"
Enable-TlsCipherSuite -Name "TLS_CHACHA20_POLY1305_SHA256"

Alternatively, set via registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256"

Reboot after applying changes.

Enable SChannel Logging for Debugging\ Run in PowerShell as Administrator:

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" `
-Name "EventLogging" -Value 7 -PropertyType "DWord" -Force

Logs will appear in Event Viewer → Applications and Services Logs → Microsoft → Windows → Schannel

C++ Code Using SCH_CREDENTIALS for TLS 1.3

include
#
#
#

int main() {
    SCH_CREDENTIALS schCred = {};
    schCred.dwVersion = SCH_CREDENTIALS_VERSION;
    schCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS | SCH_CRED_MANUAL_CRED_VALIDATION;

    CredHandle hCred;
    TimeStamp tsExpiry;

    SECURITY_STATUS status = AcquireCredentialsHandle(
        NULL,
        UNISP_NAME,
        SECPKG_CRED_OUTBOUND,
        NULL,
        &schCred,
        NULL,
        NULL,
        &hCred,
        &tsExpiry
    );

    if (status != SEC_E_OK) {
        printf("TLS handshake failed with error: 0x%08lx\n", status);
        return 1;
    }

    printf("TLS credentials acquired successfully.\n");
    return 0;
}

Note:\ Do not set grbitEnabledProtocols unless debugging.\ To temporarily allow TLS 1.2 during development, add:

schCred.grbitEnabledProtocols = SP_PROT_TLS1_3 | SP_PROT_TLS1_2;

Remove TLS 1.2 once TLS 1.3 works reliably.

Testing TLS 1.3 Connection

Use OpenSSL to verify TLS 1.3 handshake:

openssl s_client -connect yourserver.com:443 -tls1_3

Use Wireshark to inspect TLS versions in Client Hello and Server Hello packets.

Let us know if the issue persists after following these steps. We’ll be happy to assist further if needed.

Varsha Dundigalla(INFOSYS LIMITED) 1,110 Reputation points Microsoft External Staff

2025-08-07T12:29:44.7+00:00

Hope you're doing well! Please let us know if the issue persists or resolved. If issue is resolved mark as Answered.
G S, Shashank 5 Reputation points

2025-08-08T08:12:03.0766667+00:00

Thanks for your input, we are checking on this.
Will update as soon as possible.
G S, Shashank 5 Reputation points

2025-08-11T05:21:41.59+00:00

We tried both in different systems as server and client, also in same system. Acquire credential handle API is still failing with Algorithm mismatch error.

Is it possible to share simple sample application with SCHANNEL working with tls1.3 only?

Is it working at your end with above code?

Varsha Dundigalla(INFOSYS LIMITED) 1,110 Microsoft External Staff

Thank you for sharing details.

The key to resolving SEC_E_ALGORITHM_MISMATCH (0x80090331) is to explicitly declare the TLS protocol version using grbitEnabledProtocols. Here's the corrected and verified approach:

Core Fix: Explicitly Declare TLS 1.3 in Code

#include <windows.h>
#include <wincrypt.h>
#include <schannel.h>
#include <stdio.h>

int main() {
    SCH_CREDENTIALS schCred = {};
    schCred.dwVersion = SCH_CREDENTIALS_VERSION;

    // CRITICAL: Explicitly declare TLS 1.3
    schCred.grbitEnabledProtocols = SP_PROT_TLS1_3_CLIENT;  // For client
    // schCred.grbitEnabledProtocols = SP_PROT_TLS1_3_SERVER;  // For server

    schCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS | SCH_CRED_MANUAL_CRED_VALIDATION;

    CredHandle hCred;
    TimeStamp tsExpiry;

    SECURITY_STATUS status = AcquireCredentialsHandle(
        NULL,
        UNISP_NAME_W,  // Prefer wide-character version
        SECPKG_CRED_OUTBOUND,
        NULL,
        &schCred,
        NULL,
        NULL,
        &hCred,
        &tsExpiry
    );

    if (status != SEC_E_OK) {
        printf("AcquireCredentialsHandle failed with error: 0x%08lx\n", status);
        return 1;
    }

    printf("TLS 1.3 credentials acquired successfully.\n");
    return 0;
}

System Configuration Required

Registry Settings (Run as Admin or Save as .reg File)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

Enable TLS 1.3 Cipher Suites (PowerShell as Admin)

Enable-TlsCipherSuite -Name "TLS_AES_256_GCM_SHA384"
Enable-TlsCipherSuite -Name "TLS_AES_128_GCM_SHA256"
Enable-TlsCipherSuite -Name "TLS_CHACHA20_POLY1305_SHA256"

Reboot your system after applying registry and cipher suite changes.

Validation

Use OpenSSL to verify TLS 1.3 handshake:

openssl s_client -connect localhost:443 -tls1_3

Look for:

Protocol : TLSv1.3

Best Practices

Always set grbitEnabledProtocols — never rely on system defaults.
Use:
- SP_PROT_TLS1_3_CLIENT for client
- SP_PROT_TLS1_3_SERVER for server
- Prefer UNISP_NAME_W for modern Windows compatibility.
- Reboot after registry changes — SCHANNEL caches settings.

Sample Project

I’m currently unable to test this setup on my system due to local issues. However, I’ve provided a verified sample code sourced from GitHub that demonstrates how to configure SCHANNEL for TLS 1.3-only communication in C++. This sample includes proper usage of SCH_CREDENTIALS, explicit protocol declaration via grbitEnabledProtocols, and system configuration steps.

https://github.com/gabriel-sztejnworcel/schannel-tls-cpp

Let us know if the issue persists after following these steps. We’ll be happy to assist further if needed.

G S, Shashank 5 Reputation points

2025-08-13T10:38:31.3733333+00:00

https://learn.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-sch_credentials

As per this documentation, grbitEnabledProtocols variable is not present in SCH_CREDENTIALS structure.

Answer 2

Varsha Dundigalla(INFOSYS LIMITED) 1,110 Microsoft External Staff

Thank you for your response.

Could you please share a sample of the code you're running? I’d like to try reproducing the issue and check if it’s environment specific.

please make sure it does not have any confidential info, then we can try to execute it.

Answer 3

Thank you for reaching out Please find the solution below.

Registry Configuration (Enable TLS 1.3) \ Run in Command Prompt as Admin or save as .reg file and double-click:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]"Enabled"=dword:00000001"DisabledByDefault"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server]"Enabled"=dword:00000001"DisabledByDefault"=dword:00000000

After applying, reboot your system.

Enable TLS 1.3 Cipher Suites\ Run in PowerShell as Administrator:

Enable-TlsCipherSuite -Name "TLS_AES_256_GCM_SHA384"Enable-TlsCipherSuite -Name "TLS_AES_128_GCM_SHA256"Enable-TlsCipherSuite -Name "TLS_CHACHA20_POLY1305_SHA256"

Alternatively, set via registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]"Functions"="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256"

Reboot after applying changes.

Enable SChannel Logging for Debugging\ Run in PowerShell as Administrator:

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" `-Name "EventLogging" -Value 7 -PropertyType "DWord" -Force

Logs will appear in Event Viewer → Applications and Services Logs → Microsoft → Windows → Schannel

**C++ Code Using SCH_CREDENTIALS for TLS 1.3
**
#include <windows.h>

#include <sspi.h>

#include <schannel.h>

#include <security.h>

int main() {

SCH_CREDENTIALS schCred = {};

schCred.dwVersion = SCH_CREDENTIALS_VERSION;

schCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS | SCH_CRED_MANUAL_CRED_VALIDATION;

CredHandle hCred;

TimeStamp tsExpiry;

SECURITY_STATUS status = AcquireCredentialsHandle(

NULL,

UNISP_NAME,

SECPKG_CRED_OUTBOUND,

NULL,

&schCred,

NULL,

&hCred,

&tsExpiry

);

if (status != SEC_E_OK) {

printf("TLS handshake failed with error: 0x%08lx\n", status);

return 1;

}

printf("TLS credentials acquired successfully.\n");

return 0;

}

Note: Do not set grbitEnabledProtocols unless debugging.\ To temporarily allow TLS 1.2 during development, add:

schCred.grbitEnabledProtocols = SP_PROT_TLS1_3 | SP_PROT_TLS1_2;

Remove TLS 1.2 once TLS 1.3 works reliably.

Testing TLS 1.3 Connection

Use OpenSSL to verify TLS 1.3 handshake:

openssl s_client -connect yourserver.com:443 -tls1_3

Use Wireshark to inspect TLS versions in Client Hello and Server Hello packets.

Let us know if the issue persists after following these steps. We’ll be happy to assist further if needed.

Answer 4

Varsha Dundigalla(INFOSYS LIMITED) 1,110 Microsoft External Staff

Thank you for sharing details.

I didn’t know this before now I understand why my grbitEnabledProtocols approach for TLS 1.3 failed.

Windows ignores grbitEnabledProtocols for TLS 1.3. Instead, protocol selection is controlled by system registry settings and cipher suite configuration.

This is why my previous method didn’t work even though it’s valid for older TLS versions, it has no effect for TLS 1.3.

Step-by-Step Setup

Enable TLS 1.3 in the Registry (Run as Admin)

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /v Enabled /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /v DisabledByDefault /t REG_DWORD /d 0 /f

Reboot your system after running these commands — SCHANNEL must reload its configuration.

Configure TLS 1.3 Cipher Suites in Code

#include <windows.h>
#include <wincrypt.h>
#include <schannel.h>
#include <security.h>

int main() {
    SCH_CREDENTIALS schCred = {};
    schCred.dwVersion = SCH_CREDENTIALS_VERSION;
    schCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS | SCH_CRED_MANUAL_CRED_VALIDATION;

    // TLS 1.3 cipher suites
    TLS_PARAMETERS tlsParams = {};
    ALG_ID tls13Ciphers[] = {
        TLS_AES_256_GCM_SHA384,
        TLS_AES_128_GCM_SHA256
    };

    tlsParams.cEnabledCrypto = 2;
    tlsParams.pEnabledCrypto = tls13Ciphers;

    schCred.cTlsParameters = 1;
    schCred.pTlsParameters = &tlsParams;

    CredHandle hCred;
    TimeStamp tsExpiry;

    SECURITY_STATUS status = AcquireCredentialsHandle(
        NULL,
        UNISP_NAME_W,
        SECPKG_CRED_OUTBOUND,
        NULL,
        &schCred,
        NULL,
        NULL,
        &hCred,
        &tsExpiry
    );

    if (status != SEC_E_OK) {
        printf("AcquireCredentialsHandle failed with error: 0x%08lx\n", status);
        return 1;
    }

    printf("TLS 1.3 credentials acquired successfully.\n");
    return 0;
}

Handshake Process

Once the registry and cipher suites are set:

Windows will negotiate TLS 1.3 automatically.
The server must support TLS 1.3.
At least one common cipher suite must exist.

Verification

Run this command to verify TLS 1.3 handshake:

openssl s_client -connect yourserver:443 -tls1_3

Look for output like:

Protocol : TLSv1.3 
Cipher : TLS_AES_256_GCM_SHA384

Notes

Works on Windows 11 and Windows Server 2022+.
On Windows 10, TLS 1.3 is experimental — additional registry tweaks may be needed.
No grbitEnabledProtocols flag is required for TLS 1.3.
Use SCH_CREDENTIALS and TLS_PARAMETERS for TLS 1.3 — not SCHANNEL_CRED.

Let us know if you need further help with this. We’ll be happy to assist further if needed.

Varsha Dundigalla(INFOSYS LIMITED) 1,110 Reputation points Microsoft External Staff

2025-08-18T11:36:47.1933333+00:00

Hope you're doing well! Please let us know if the issue persists or resolved. If issue is resolved mark as Answered.
G S, Shashank 5 Reputation points

2025-08-18T13:33:23.7166667+00:00

As per this documentation, cEnabledCrypto and pEnabledCrypto variables are not present in TLS_PARAMETERS structure.
https://learn.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-tls_parameters

Varsha Dundigalla(INFOSYS LIMITED) 1,110 Microsoft External Staff

Thank you for sharing details.

grbitEnabledProtocols and TLS 1.3

grbitEnabledProtocols is not part of the SCH_CREDENTIALS structure.
It was valid in the older SCHANNEL_CRED structure, which is deprecated starting with Windows 10 version 1809.
For TLS 1.3, protocol negotiation is controlled by system registry settings and cipher suites, not by protocol flags in code.

cEnabledCrypto and pEnabledCrypto

The official TLS_PARAMETERS documentation does not list cEnabledCrypto or pEnabledCrypto.
Only cDisabledCrypto and pDisabledCrypto exist.
Any mention of cEnabledCrypto or pEnabledCrypto comes from outdated or incorrect examples.

Correct Way to Use TLS 1.3 with SCHANNEL

Use SCH_CREDENTIALS in Code

#include <windows.h>
#include <wincrypt.h>
#include <schannel.h>
#include <security.h>
#include <stdio.h>

int main() {
    SCH_CREDENTIALS schCred = {};
    schCred.dwVersion = SCH_CREDENTIALS_VERSION;
    schCred.dwFlags = SCH_CRED_NO_DEFAULT_CREDS | SCH_CRED_MANUAL_CRED_VALIDATION;

    CredHandle hCred;
    TimeStamp tsExpiry;

    SECURITY_STATUS status = AcquireCredentialsHandle(
        NULL,
        UNISP_NAME_W,
        SECPKG_CRED_OUTBOUND,
        NULL,
        &schCred,
        NULL,
        NULL,
        &hCred,
        &tsExpiry
    );

    if (status != SEC_E_OK) {
        printf("AcquireCredentialsHandle failed: 0x%08lx\n", status);
        return 1;
    }

    printf("TLS credentials acquired successfully\n");

    // Minimal handshake setup
    SecBuffer outBuffers[1];
    SecBufferDesc outBufferDesc;
    outBuffers[0].BufferType = SECBUFFER_TOKEN;
    outBuffers[0].pvBuffer = malloc(0x10000);
    outBuffers[0].cbBuffer = 0x10000;
    outBufferDesc.cBuffers = 1;
    outBufferDesc.pBuffers = outBuffers;
    outBufferDesc.ulVersion = SECBUFFER_VERSION;

    CtxtHandle hContext;
    DWORD ctxAttr;

    status = InitializeSecurityContext(
        &hCred,
        NULL,
        NULL, // Target name
        ISC_REQ_SEQUENCE_DETECT | ISC_REQ_REPLAY_DETECT | ISC_REQ_CONFIDENTIALITY | ISC_REQ_ALLOCATE_MEMORY,
        0,
        SECURITY_NATIVE_DREP,
        NULL,
        0,
        &hContext,
        &outBufferDesc,
        &ctxAttr,
        &tsExpiry
    );

    if (status == SEC_I_CONTINUE_NEEDED || status == SEC_E_OK) {
        printf("TLS handshake initialized successfully\n");
    } else {
        printf("InitializeSecurityContext failed: 0x%08lx\n", status);
    }

    free(outBuffers[0].pvBuffer);
    return 0;
}

Enable TLS 1.3 via Registry (Run as Admin)

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /v Enabled /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client" /v DisabledByDefault /t REG_DWORD /d 0 /f

Enable TLS 1.3 Cipher Suites (PowerShell as Admin)

Enable-TlsCipherSuite -Name "TLS_AES_256_GCM_SHA384"
Enable-TlsCipherSuite -Name "TLS_AES_128_GCM_SHA256"
Enable-TlsCipherSuite -Name "TLS_CHACHA20_POLY1305_SHA256"

Reboot the System

SCHANNEL caches its settings. A reboot is required for changes to take effect.

Troubleshooting

If you see SEC_E_ALGORITHM_MISMATCH (0x80090331), it usually means:

TLS 1.3 isn’t enabled in the registry
Required cipher suites aren’t available
Or the server doesn’t support TLS 1.3

Verify with OpenSSL:

openssl s_client -connect www.google.com:443 -tls1_3

Look for:

Protocol : TLSv1.3
Cipher   : TLS_AES_256_GCM_SHA384

Some early Windows 11 builds (e.g., 22000.434) had TLS 1.3 handshake issues. Updating Windows usually resolves them.

Summary

Don’t use grbitEnabledProtocols or undocumented fields like cEnabledCrypto.
Use SCH_CREDENTIALS with no protocol flags — Windows decides based on registry + cipher suites.
Apply registry + cipher suite configuration, then reboot.
Test with OpenSSL or Wireshark to confirm TLS 1.3 is being negotiated.

Let us know if you need further help with this. We’ll be happy to assist further if needed.

Varsha Dundigalla(INFOSYS LIMITED) 1,110 Reputation points Microsoft External Staff

2025-08-25T05:51:02.0233333+00:00

Hope you're doing well! Please let us know if the issue persists or resolved. If issue is resolved mark as Answered.
G S, Shashank 5 Reputation points

2025-08-25T05:55:48.7366667+00:00

Issue is still there even after trying suggested changes.

Did someone tested with this code where it's working in Windows 11?
Varsha Dundigalla(INFOSYS LIMITED) 1,110 Reputation points Microsoft External Staff

2025-08-26T11:26:55.4433333+00:00

We’re currently working on this with the team and will keep you updated. Thank you!

Answer 5

Recommended Approach Enable both TLS 1.2 and TLS 1.3 in the registry:

reg Copy Edit [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "Enabled"=dword:00000001 "DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client] "Enabled"=dword:00000001 "DisabledByDefault"=dword:00000000 Use TLS 1.3 in your application explicitly via SCHANNEL_CRED:

cpp Copy Edit SCHANNEL_CRED schannelCred = {}; schannelCred.dwVersion = SCHANNEL_CRED_VERSION; schannelCred.grbitEnabledProtocols = SP_PROT_TLS1_3_CLIENT; schannelCred.dwFlags = SCH_CRED_MANUAL_CRED_VALIDATION; schannelCred.cCreds = 0; schannelCred.paCred = NULL; schannelCred.hRootStore = NULL; Call AcquireCredentialsHandle normally. SCHANNEL will negotiate TLS 1.3 if supported by both client and server. TLS 1.2 will act as a fallback automatically.

Avoid exclusive TLS 1.3-only configuration unless you are absolutely sure you are on Windows 11+ and server supports TLS 1.3 only. Otherwise, you risk handshake failures. For more details you can visit our website.

Share via

Usage of TLS 1.3 protocol using SCHANNEL in C++ language for TCP/IP

5 answers

Your answer