6 Appendix A: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include released service packs.

  • Windows XP operating system

  • Windows Server 2003 operating system

  • Windows Vista operating system

  • Windows Server 2008 operating system

  • Windows 7 operating system

  • Windows Server 2008 R2 operating system

  • Windows 8 operating system

  • Windows Server 2012 operating system

  • Windows 8.1 operating system

  • Windows Server 2012 R2 operating system

  • Windows 10 operating system

  • Windows Server 2016 operating system

Exceptions, if any, are noted below. If a service pack or Quick Fix Engineering (QFE) number appears with the product version, behavior changed in that service pack or QFE. The new behavior also applies to subsequent service packs of the product unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.

<1> Section 1: Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 implement TLS 1.2 as specified mainly in [RFC5246] with extensions from [RFC4366], [RFC4681], and [RFC5077], additional cipher suites from [RFC3268], [RFC4492], [RFC5289], TLS 1.1 from [RFC4346], and SSL from [SSL3].

Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 implement TLS 1.2 as specified mainly in [RFC5246] with extensions from [RFC4366] and [RFC4681], additional cipher suites from [RFC3268], [RFC4492], [RFC5289], TLS 1.1 from [RFC4346], and SSL from [SSL3].

Windows Vista and Windows Server 2008 implement TLS 1.0 as specified mainly in [RFC2246] with extensions from [RFC3546] and [RFC4681], additional cipher suites from [RFC3268] and [RFC4492], and SSL from [SSL3].

In Windows Server 2003 and Windows XP, TLS was implemented with [RFC2246] and [RFC4681], SSL from [SSL3], and PCT from [PCT1].

Windows NT operating system and Windows 2000 operating system implement SSL from [SSL3] and PCT from [PCT1].

Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012 operating system, Windows 8.1, Windows Server 2012 R2, Windows 10 v1507 operating system, and Windows 10 v1511 operating system do not support Curve25519 as defined in [IETFDRAFT-CURVE-25519-01].

<2> Section 2.2: Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 do not support [RFC5077]. Windows 8 and Windows Server 2012 support only the client side of [RFC5077].

Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 do not support [RFC7301].

<3> Section 2.2: Only Windows 8.1, Windows Server 2012 R2, Windows 10 v1507, Windows 10 v1511, Windows 10 v1607 operating system, and Windows Server 2016 support [NPN].

<4> Section 2.2.1: Windows does not support DHE_PSK or RSA_PSK Key Exchange Algorithms defined in [RFC4279] and [RFC5487].

Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10 v1507, and Windows 10 v1511 do not support PSK Key Exchange Algorithm [RFC4279] or PSK cipher suites [RFC5487].

<5> Section 2.2.1: Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 support [RFC4492], except for not allowing ECDH cipher suites where the number of bits used in the public key algorithm is less than the number of bits used in the signing algorithm.

<6> Section 2.2.1: Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 do not support Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension [RFC7627].

<7> Section 2.2.1: Windows accepts a unified format ClientHello message even when SSL version 2 is disabled.

<8> Section 2.2.2: Windows has a decoupling of the network layer from the SSL/TLS layer and thus cannot ensure that alert messages are sent.

<9> Section 2.2.2: Windows XP and Windows Server 2003 do not support sending and receiving the Certificate Status Request extension from [RFC4366] and [RFC3546].

<10> Section 2.2.3: Windows XP and Windows Server 2003 do not support sending the Server Name Indications from [RFC4366] and [RFC3546] in the ClientHello.

Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 do not support sending and receiving the Server Name Indications.

<11> Section 2.2.3: Windows supports sending and receiving the User Mapping extension by using UPN domain hint from [RFC4681].

<12> Section 2.2.3: Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 do not support [RFC5077]. Windows 8 and Windows Server 2012 support only the client side of [RFC5077].

<13> Section 2.2.3: Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 do not support [RFC7301].

<14> Section 2.2.3: Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2 operating system, and Windows 10 v1507 do not support Transport Layer Security (TLS) Extension for Token Binding Protocol Negotiation [IETFDRAFT-TOKBND].

<15> Section 2.2.3: Only Windows 8.1, Windows Server 2012 R2, Windows 10 v1507, Windows 10 v1511, Windows 10 v1607, and Windows Server 2016 support [NPN].

<16> Section 2.2.4: Windows does not require that the signing algorithm used by the issuer of a certificate match the algorithm in the end certificate. Windows also does not require particular key usage extension bits to be set in certificates.

<17> Section 2.2.4: Windows omits the root certificate by default when sending certificate chains.

<18> Section 3.1.5: Note the following Windows message processing:

  • If a session fails during bulk data transfer, Windows does not prevent attempted resumption of the session.

  • Only Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 do not support or process extensions within the Certificate Status Request extension.

  • Windows does not ignore a HelloRequest received, even in the middle of a handshake.

  • Windows Server 2003 does not support fragmentation of incoming messages across frames as is allowed in [RFC5246] section 6.2.1.

<19> Section 3.1.5: Only Windows 8.1, Windows Server 2012 R2, Windows 10 v1507, Windows 10 v1511, Windows 10 v1607, and Windows Server 2016 support [NPN].

<20> Section 3.1.5: Windows ignores both unrequested and duplicate extensions in both ClientHello and ServerHello.

Show: