Is TLS1.2/1.3 supported for mutual TLS on Windows?

[danhuang-ixia]

My windows client runs MQTT with mutual TLS against a dockerized mosquitto server (eclipse-mosquitto:2.0-openssl).
This was working until recent changes in the mosquitto docker image (2.0.14->2.0.15), possibly due to openSSL being updated in the base image.

Now windows clients return "AWS IoT connect failed with error: AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE: TLS (SSL) negotiation failed" with reason "SEC_E_ALGORITHM_MISMATCH". This issue only happens on Windows, not on Linux.

My assumption is the minimum TLS version has changed on the server, and the client needs to set the min_tls_ver in tls_ctx_options, however doing so has no effect.
The aws-c-io code shows the TLS1_2 is gated with
#if defined(SP_PROT_TLS1_2_CLIENT) secure_channel_ctx->credentials.grbitEnabledProtocols |= SP_PROT_TLS1_2_CLIENT; #endif, which should be dependent on the version of <schannel.h> on the compiler.

Is aws-c-io compiled with TLS1.2 enabled? If not are there other configuration issues that could cause "SEC_E_ALGORITHM_MISMATCH"?

[bretambrose]

My understanding is that AWS IoT Core requires a minimum of tls 1.2 presently. I am able to successfully run MQTT samples on a Windows machine (and our CI passes on Windows platforms) using the published CRT module (not a local build). I also looked at the TLS handshake in wireshark and it is indeed tls1.2

[danhuang-ixia]

Odd, then I'm not sure why it doesn't work against the eclipse-mosquitto:2.0-openssl container.
Following eclipse-mosquitto/mosquitto#2779, we set "ciphers DEFAULT:@SECLEVEL=0" on mosquitto and it started working again. SECLEVEL=2 however fails with "SEC_E_ALGORITHM_MISMATCH"

According to openssl, SECLEVEL=2 requires RSA keys >=2048, TLS >= 1.2. Our RSA key is 2048 bits, that's why I presumed TLS version was the issue.