I'm using Microsoft Crypto API to handle SSL connections. When communicating with servers that support TLS 1.0 or higher everything works fine, but when I try to deal with server that support only SSL 3.0 InitializeSecurityContext()
fails with error code 0x80090331 (SEC_E_ALGORITHM_MISMATCH
).
I tried to play with SCHANNEL_CRED
structure that is passed to AcquireCredentialsHandle()
as pAuthData
argument. Particularly it has field grbitEnabledProtocols
that is supposed to control the set of supported protocols. When I set grbitEnabledProtocols=SP_PROT_SSL3
, everything works fine, but it breaks the security because I want to support TLS 1.0, 1.1 and 1.2 too, and it becomes impossible to communicate with servers that have SSL 3.0 disabled for security reasons.
So the problem is:
When I set grbitEnabledProtocols=SP_PROT_SSL3TLS1_X
and try to communicate with server that supports SSL 3.0 only, connection starts as TLS 1.2, then server responds with SSL 3.0 header and appropriate data. From here, according to the RFC, Crypto API should continue the handshake procedure using SSL 3.0 protocol, but instead it fails with error 0x80090331
(SEC_E_ALGORITHM_MISMATCH
, the client and server cannot communicate, because they do not possess a common algorithm).
Is there any possible way to enable TLS 1.0, 1.1, 1.2 along with SSL 3.0 in MS Crypto API?