"TLS 1.3 offers better security and performance than its predecessor TLS 1.2, but omits an important feature: renegotiation. This functionality was used by servers such as IIS Express to request a client certificate only after the initial handshake. Because TLS 1.3 does not support this mechanism, IIS Express crashes with mTLS configurations. For Windows 11 versions prior to 24H2 and for Windows Server 2022, this results in a broken connection with the error message ERR_CONNECTION_RESET."
"Microsoft points to three temporary solutions that developers can apply. Disabling TLS 1.3 via the Windows registry is the most direct route, although this affects all applications on the system and falls back to TLS 1.2. Another option is to modify the http.sys binding via the netsh command, which requests the client certificate during the initial handshake. Removing the client certificate requirement from the configuration is also an option, but this is mainly suitable for development environments."
"In theory, TLS 1.3 does have an alternative method, namely post-handshake client authentication, but this is not supported by most browsers. In addition, IIS and IIS Express are based on the Windows http.sys kernel driver. This layer handles the TLS negotiation entirely before IIS itself comes into play, which means that the problem actually lies in the architecture of the underlying system."
IIS Express crashes when configured for mTLS because TLS 1.3 removes renegotiation used to request client certificates after the initial handshake. On Windows 11 prior to 24H2 and Windows Server 2022 the failure appears as ERR_CONNECTION_RESET; on Windows 11 24H2 and Windows Server 2025 it returns HTTP 500 with code 0x80070032 ("not supported"). Microsoft lists three temporary workarounds: disable TLS 1.3 via the registry, modify the http.sys binding with netsh to request the certificate during the initial handshake, or remove the client certificate requirement for development. Post-handshake client authentication exists in TLS 1.3 but lacks broad browser support, and the root cause resides in the http.sys architecture performing TLS negotiation before IIS.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]