Note
The SCHANNEL_CRED structure is deprecated. You should use SCH_CREDENTIALS instead.
The SCHANNEL_CRED structure contains the data for an Schannel credential.
Syntaxtypedef struct _SCHANNEL_CRED {
DWORD dwVersion;
DWORD cCreds;
PCCERT_CONTEXT *paCred;
HCERTSTORE hRootStore;
DWORD cMappers;
_HMAPPER **aphMappers;
struct _HMAPPER;
DWORD cSupportedAlgs;
ALG_ID *palgSupportedAlgs;
DWORD grbitEnabledProtocols;
DWORD dwMinimumCipherStrength;
DWORD dwMaximumCipherStrength;
DWORD dwSessionLifespan;
DWORD dwFlags;
DWORD dwCredFormat;
} SCHANNEL_CRED, *PSCHANNEL_CRED;
dwVersion
Set to SCHANNEL_CRED_VERSION.
cCreds
The number of structures in the paCred array.
paCred
An array of pointers to CERT_CONTEXT structures. Each pointer specifies a certificate that contains a private key to be used in authenticating the application. Typically, this array contains one structure for each key exchange method supported by the application.
Client applications often pass in an empty list and either depend on Schannel to find an appropriate certificate or create a certificate later if needed.
hRootStore
Optional. Valid for server applications only. Handle to a certificate store that contains self-signed root certificates for certification authorities (CAs) trusted by the application. This member is used only by server-side applications that require client authentication.
cMappers
Reserved.
aphMappers
Reserved.
_HMAPPER
cSupportedAlgs
Number of algorithms in the palgSupportedAlgs array.
palgSupportedAlgs
Optional. A pointer to an array of ALG_ID algorithm identifiers that represent the algorithms supported by connections made with credentials acquired using this structure. If cSupportedAlgs is zero or palgSupportedAlgs is NULL, Schannel uses the system defaults.
Currently, the algorithm identifiers CALG_AES, CALG_AES_128, and CALG_AES_256 are not supported.
grbitEnabledProtocols
Optional. A DWORD that contains a bit string that represents the protocols supported by connections made with credentials acquired by using this structure. If this member is zero, Schannel selects the protocol. For new development, applications should set grbitEnabledProtocols to zero and use the protocol versions enabled on the system by default.
This member is used only by the Microsoft Unified Security Protocol Provider security package.
The global system registry settings take precedence over this value. For example, if SSL3 is disabled in the registry, it cannot be enabled using this member.
This member can contain any of the following flags.
Value MeaningNote Obsolete.
Note Obsolete.
Important Secure Sockets Layer 2.0 and Transport Layer Security 1.2 flags are mutually exclusive.
Windows 10, version 1607 and Windows Server 2016.: Support ends.Important Secure Sockets Layer 2.0 and Transport Layer Security 1.2 flags are mutually exclusive.
Windows 10, version 1607 and Windows Server 2016.: Support ends.Important Secure Sockets Layer 2.0 and Transport Layer Security 1.2 flags are mutually exclusive.
Important Secure Sockets Layer 2.0 and Transport Layer Security 1.2 flags are mutually exclusive.
Important Secure Sockets Layer 2.0 and Transport Layer Security 1.2 flags are mutually exclusive.
Important Secure Sockets Layer 2.0 and Transport Layer Security 1.3 flags are mutually exclusive.
Windows 8 and Windows Server 2012: Support added.
Windows 8 and Windows Server 2012: Support added.
Windows 8 and Windows Server 2012: Support added.
Windows 8 and Windows Server 2012: Support added.
Windows 10, version 1607 and Windows Server 2016.: Support added.
Windows 10, version 1607 and Windows Server 2016.: Support added.
Windows 10, version 1607 and Windows Server 2016.: Support added.
Windows 10, version 1607 and Windows Server 2016.: Support added.
dwMinimumCipherStrength
Minimum bulk encryption cipher strength, in bits, allowed for connections.
If this member is zero, Schannel uses the system default. If this member is â1, only the SSL3/TLS MACâonly cipher suites (also known as NULL cipher) are enabled.
dwMaximumCipherStrength
Maximum bulk encryption cipher strength, in bits, allowed for connections.
If this member is zero, Schannel uses the system default.
If this member is â1, only the SSL3/TLS MACâonly cipher suites (also known as NULL cipher) are enabled. In this case, dwMinimumCipherStrength must be set to â1.
dwSessionLifespan
The number of milliseconds that Schannel keeps the session in its session cache. After this time has passed, any new connections between the client and the server require a new Schannel session. Set the value of this member to zero to use the default value of 36000000 milliseconds (ten hours).
dwFlags
Contains bit flags that control the behavior of Schannel. This member can be zero or a combination of the following values.
Value MeaningThis flag is the opposite of SCH_CRED_MANUAL_CRED_VALIDATION and is part of the default behavior of Schannel.
Windows Server 2003 and Windows XP/2000: This flag is not supported.
If this flag is set, then full handshakes performed with this credential will not allow reconnects. A cache entry is created, so the session can be made resumable later by using the ApplyControlToken function.
Prevent Schannel from validating the received server certificate chain.
Prevent Schannel from attempting to automatically supply a certificate chain for client authentication.
Prevent Schannel from comparing the supplied target name with the subject names in server certificates.
Prevent Schannel from using the built-in system certificate mapping functions to map client certificates to a user account.
Schannel attempts to automatically supply a certificate chain for client authentication. This value is the opposite of SCH_CRED_NO_DEFAULT_CREDS.
Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003, Windows XP and Windows XP/2000: This flag is not supported.
Note The root certificate sent over the network by the Schannel client or server is not to be trusted. It should be validated against a trusted hash of the root certificate.
dwCredFormat
Kernel-mode Schannel supports the following values.
Windows Server 2008, Windows Vista, Windows Server 2003, Windows XP and Windows XP/2000: This flag is not supported and must be zero.
Value MeaningThe following certificate revocation flags are mutually exclusive.
To customize certificate revocation error reporting for Schannel, use the following flags:
When Schannel checks the revocation status of a certificate chain, these flags instruct it to ignore any CRYPT_E_NO_REVOCATION_CHECK and CRYPT_E_REVOCATION_OFFLINE errors, respectively. These flags are ignored if no certificate revocation flag is set.
Requirements Requirement Value Minimum supported client Windows 8.1 [desktop apps only] Minimum supported server Windows Server 2012 R2 [desktop apps only] Header schannel.h (include Schnlsp.h) See alsoRetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4