Fail of the AcquireCredentialsHandleA for TLS 1.3

Question

Fail of the AcquireCredentialsHandleA for TLS 1.3

YuriL180821 opened this issue a year ago · 5 comments

Describe the bug

AcquireCredentialsHandleA return 0x80090331 for TLS1.3 protocol which leads to negotiation error AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE. Same methods with same credentials works fine for lower TLS versions

Expected Behavior

AcquireCredentialsHandleA should return SEC_E_OK for any TLS protocol versions

Current Behavior

AcquireCredentialsHandleA fails for latest master on given moment
https://github.com/awslabs/aws-c-io/blob/a3555c86bd10149a1ab0c1b2810756ec54cfbe3a/source/windows/secure_channel_tls_handler.c#L1738

Reproduction Steps

activate AWS_IO_TLSv1_3 version for tls handler

Possible Solution

According to MS learn
https://learn.microsoft.com/en-us/answers/questions/708734/tls-1-3-doesnt-work-on-windows-11-through-schannel

In order to use TLS 1.3 with schannel, you should use the SCH_CREDENTIALS structure instead of the SCHANNEL_CRED structure with AcquireCredentialsHandle().

SCH_CREDENTIALS - Win32 apps | Microsoft Learn

i.e current sc_ctx->credentials which is pointer to SCHANNEL_CRED structure

SECURITY_STATUS status = AcquireCredentialsHandleA(
    NULL,
    UNISP_NAME,
    credential_use,
    NULL,
    &sc_ctx->credentials,//<-- currently it is SCHANNEL_CRED
   ...);

should be replaced on SCH_CREDENTIALS

Additional Information/Context

AWS CPP SDK version used

1.26.0, 1.30.0

Compiler and Version used

MSVS 2022 Professional

Operating System and version

Windows 11 x64

Answer 1 · 2023-10-12T21:33:46.000Z

It look like you are trying to use the IoT sdk not this sdk. Can you open an issues here(aws-iot-device-sdk-cpp-v2) and provide a code sample that reproduces this?

Answer 2 · 2023-10-13T06:50:53.000Z

Hello @jmklix

Thanks for reacting on my issue !
Looks like you are right my issue is about problem in AWS-C-IO which in it's turn is one of submodule into AWS CRT CPP

It's because this is submodule of current SDK

I made a little bit correct assumption about responsibilities about right team for fixing that problem.
I'm going to address this issue to them, now.

Regards,
Yurii.

Answer 3 · 2023-10-13T07:02:22.000Z

Already did right targeting team and registered issue for AWS-C-IO,
link on problem is awslabs/aws-c-io#609

Answer 4 · 2023-10-13T17:42:02.000Z

Hi @YuriL180821 ,

Thank you for reporting this issue.
As discussed, this one is for AWS Iot SDK for CPP and out common dependency AWS CRT / aws-c-io.
I will close this issue, please contact us again should you have any other issue.

Best regards,
Sergey

Answer 5 · 2023-10-13T17:42:26.000Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.