Skip to content

Enabling TLS 1.3 on Windows #732

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Enabling TLS 1.3 on Windows #732

wants to merge 2 commits into from

Conversation

sfod
Copy link
Contributor

@sfod sfod commented May 21, 2025
edited
Loading

Issue #, if available:

Another attempt to support TLS 1.3 on Windows platform.
Previous PR #676 didn't handle older Windows SDKs, so we had to revert it.

Description of changes:

Support TLS 1.3 on Windows when mTLS is used.

Other changes:

  • Use persistent key container for RSA keys.
  • Implement local TLS server for tests.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@codecov-commenter
Copy link

codecov-commenter commented May 22, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.74%. Comparing base (689dee3) to head (4c48cf6).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #732   +/-   ##
=======================================
  Coverage   78.74%   78.74%           
=======================================
  Files          30       30           
  Lines        6385     6385           
=======================================
  Hits         5028     5028           
  Misses       1357     1357

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@sfod sfod force-pushed the windows-tls-13 branch from 8cdcc48 to 86575bd Compare May 22, 2025 18:03
@sfod sfod force-pushed the windows-tls-13 branch from ce5ee21 to 4c48cf6 Compare May 22, 2025 20:26
@sfod sfod marked this pull request as ready for review May 22, 2025 20:31
xiazhvera
xiazhvera reviewed May 28, 2025
View reviewed changes
tests/CMakeLists.txt
@@ -104,7 +104,18 @@ add_net_test_case(cleanup_before_connect_or_timeout_doesnt_explode)
endif()

if(WIN32)
set(WIN_VERSION ${CMAKE_SYSTEM_VERSION})
Copy link
Contributor

@xiazhvera xiazhvera May 28, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This check might no longer works after cmake 3.27, as CMAKE_SYSTEM_VERSION will be disabled after cmake 3.27. https://cmake.org/cmake/help/latest/variable/CMAKE_VS_WINDOWS_TARGET_PLATFORM_VERSION.html
Probably added a comment that this check might not work after 3.27.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch! So, it seems CMAKE_VS_WINDOWS_TARGET_PLATFORM_VERSION should be used here instead

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Though, thinking more about it:
CMAKE_SYSTEM_VERSION is the version of the OS where tests are running.
CMAKE_VS_WINDOWS_TARGET_PLATFORM_VERSION is the version of Windows SDK that is used.

TLS 1.3 availability is determined by both the Windows OS version and Windows SDK version.

We can add extra check for CMAKE_VS_WINDOWS_TARGET_PLATFORM_VERSION . But considering that our CI uses modern Windows SDKs, it might be overkill.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is possible that CMAKE_SYSTEM_VERSION is overwrite by build configuration. CMAKE_SYSTEM_VERSION could be used to set to a target build system version instead of the OS version it actually running on the host. Probably use CMAKE_HOST_SYSTEM_VERSION if we would like to check the actual OS version?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right, CMAKE_HOST_SYSTEM_VERSION is better suited

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xiazhvera xiazhvera xiazhvera left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sfod @codecov-commenter @xiazhvera @sfodagain