I'm using Microsoft Crypto API to handle SSL connections. When communicating with servers that support TLS 1.0 or higher everything works fine, but when I try to deal with server that support only SSL 3.0 InitializeSecurityContext() fails with error code 0x80090331 (SEC_E_ALGORITHM_MISMATCH).
I tried to play with SCHANNEL_CRED structure that is passed to AcquireCredentialsHandle() as pAuthData argument. Particularly it has field grbitEnabledProtocols that is supposed to control the set of supported protocols. When I set grbitEnabledProtocols=SP_PROT_SSL3, everything works fine, but it breaks the security because I want to support TLS 1.0, 1.1 and 1.2 too, and it becomes impossible to communicate with servers that have SSL 3.0 disabled for security reasons.
So the problem is:
When I set grbitEnabledProtocols=SP_PROT_SSL3TLS1_X and try to communicate with server that supports SSL 3.0 only, connection starts as TLS 1.2, then server responds with SSL 3.0 header and appropriate data. From here, according to the RFC, Crypto API should continue the handshake procedure using SSL 3.0 protocol, but instead it fails with error 0x80090331 (SEC_E_ALGORITHM_MISMATCH, the client and server cannot communicate, because they do not possess a common algorithm).
Is there any possible way to enable TLS 1.0, 1.1, 1.2 along with SSL 3.0 in MS Crypto API?
