-2

I was browsing Wireshark output and noticed that the handshake process for talking to Google DNS servers was asking for TLS1.2 vs the supported default TLS1.3 at 2001:4860:4860::8844.(https://developers.google.com/speed/public-dns/docs/secure-transports)

How do I set the default TLS version to be used on Windows 11 to TLS1.3 and downgrade to TLS1.2 if that is not available.

Internet Options has TLS 1.2 and TLS 1.3 selected but it seems to default to TLS1.2 enter image description here

So the client cipher suite supports: TLS_AES_256_GCM_SHA384

enter image description here

And then the server confirms that it supports the same TLS1.3 cipher suite: enter image description here

However TLS1.2 is still being used: enter image description here

Dan
  • 173
  • 1
  • 1
  • 7
  • 4
    This question is off-topic here since not about professional server management. But to give a short answer: You are interpreting the output wrong. Support for TLS 1.3 is announced using the supported_version extension in ClientHello and agreed on by the server in the same way. TLS record layer in TLS 1.3 is always set to TLS 1.2. And Wireshark is also interpreting the captured data in the correct way, showing clearly that TLS 1.3 is used here (column Protocol). See also https://superuser.com/questions/1618418/how-does-the-client-hello-message-choose-the-record-layer-version. – Steffen Ullrich Jul 29 '23 at 21:45

1 Answers1

0

Cipher suites can only be negotiated for TLS versions which support them. The highest supported TLS version is always preferred in the TLS handshake. (source: TLS Cipher Suites in Windows 11 (learn.microsoft.com)

The list of cipher suites, and the supported TLS version is on that link:

Luuk
  • 183
  • 7
  • Thanks for that, I updated the question to show that both the client and the server support the TLS1.3(TLS_AES_256_GCM_SHA384) cipher suite. Have any ideas why this would still allow TLS1.2 to be used? – Dan Jul 29 '23 at 20:13