Tested on Windows 7 and Windows 8.1

It ignores or doesn't use Windows SChannel settings.

Windows 7 webDAV Client v6.1.7601.22913 / 2014-12 / KB3019215 SSL Client Hello:
Secure Sockets Layer
    SSLv2 Record Layer: Client Hello
        [Version: SSL 2.0 (0x0002)]
        Length: 58
        Handshake Message Type: Client Hello (1)
        Version: TLS 1.0 (0x0301)
        Cipher Spec Length: 33
        Session ID Length: 0
        Challenge Length: 16
        Cipher Specs (11 specs)
            Cipher Spec: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0x00c014)
            Cipher Spec: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0x00c013)
            Cipher Spec: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0x00c00a)
            Cipher Spec: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0x00c009)
            Cipher Spec: TLS_RSA_WITH_AES_256_CBC_SHA (0x000035)
            Cipher Spec: TLS_RSA_WITH_AES_128_CBC_SHA (0x00002f)
            Cipher Spec: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x000038)
            Cipher Spec: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x000032)
            Cipher Spec: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x00000a)
            Cipher Spec: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x000013)
            Cipher Spec: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x0000ff)
        Challenge

Compare to Windows 7 IE 11 Client Hello:
Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 176
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 172
            Version: TLS 1.2 (0x0303)
            Random
                GMT Unix Time: X
                Random Bytes: X
            Session ID Length: 0
            Cipher Suites Length: 48
            Cipher Suites (24 suites)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: X
            Extension: server_name
                Type: server_name (0x0000)
                Length: 23
                Server Name Indication extension
                    Server Name list length: X
                    Server Name Type: host_name (0)
                    Server Name length: X
                    Server Name: fqdn
            Extension: status_request
                Type: status_request (0x0005)
                Length: 5
                Certificate Status Type: OCSP (1)
                Responder ID list Length: 0
                Request Extensions Length: 0
            Extension: elliptic_curves
                Type: elliptic_curves (0x000a)
                Length: 8
                Elliptic Curves Length: 6
                Elliptic curves (3 curves)
                    Elliptic curve: secp256r1 (0x0017)
                    Elliptic curve: secp384r1 (0x0018)
                    Elliptic curve: secp521r1 (0x0019)
            Extension: ec_point_formats
                Type: ec_point_formats (0x000b)
                Length: 2
                EC point formats Length: 1
                Elliptic curves point formats (1)
                    EC point format: uncompressed (0)
            Extension: signature_algorithms
                Type: signature_algorithms (0x000d)
                Length: 20
                Signature Hash Algorithms Length: 18
                Signature Hash Algorithms (9 algorithms)
                    Signature Hash Algorithm: 0x0601
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Hash Algorithm: 0x0603
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Hash Algorithm: 0x0401
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Hash Algorithm: 0x0501
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Hash Algorithm: 0x0201
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Hash Algorithm: 0x0403
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Hash Algorithm: 0x0503
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Hash Algorithm: 0x0203
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Hash Algorithm: 0x0202
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: DSA (2)
            Extension: renegotiation_info
                Type: renegotiation_info (0xff01)
                Length: 1
                Renegotiation Info extension
                    Renegotiation info extension length: 0

Also see:

https://social.technet.microsoft.com/Forums/windows/en-US/1a3c29ab-d038-4132-af99-b85bce51b5c2/sslv2-being-used-with-webdav

https://social.technet.microsoft.com/Forums/window-US/4c8cc733-2a54-400e-a53a-e3f22614de9f/unable-to-map-webdav-over-ssl#4c8cc733-2a54-400e-a53a-e3f22614de9f,

Furthermore no support for:

- Server Name Indication
(http://answers.microsoft.com/en-us/windows/forum/windows8_1-networking/windows-81-webdav-client-sni-support-broken/7c9b14dc-ad30-4746-b3ab-69e3cfedba3d)

- HTTP compression
(https://social.technet.microsoft.com/Forums/windows/en-US/f216fbc6-6aba-4119-acc5-27fcc18fed0a/any-chance-to-make-the-windows-7-microsoftwebdavminiredir-use-http-compression?forum=w7itpronetworking)

Are you serious Microsoft?

Hi,

We do need more time to make test about this phenomenon, please be paint.

Hello Roger,

sure.

FYI: It doesn't look better with the latest public Windows 10 build:

Secure Sockets Layer
    SSLv2 Record Layer: Client Hello
        [Version: SSL 2.0 (0x0002)]
        Length: 70
        Handshake Message Type: Client Hello (1)
        Version: TLS 1.0 (0x0301)
        Cipher Spec Length: 45
        Session ID Length: 0
        Challenge Length: 16
        Cipher Specs (15 specs)
            Cipher Spec: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0x00c014)
            Cipher Spec: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0x00c013)
            Cipher Spec: TLS_RSA_WITH_AES_256_CBC_SHA (0x000035)
            Cipher Spec: TLS_RSA_WITH_AES_128_CBC_SHA (0x00002f)
            Cipher Spec: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0x00c00a)
            Cipher Spec: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0x00c009)
            Cipher Spec: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x000038)
            Cipher Spec: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x000032)
            Cipher Spec: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x00000a)
            Cipher Spec: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x000013)
            Cipher Spec: TLS_RSA_WITH_RC4_128_SHA (0x000005)
            Cipher Spec: TLS_RSA_WITH_RC4_128_MD5 (0x000004)
            Cipher Spec: SSL2_RC4_128_WITH_MD5 (0x010080)
            Cipher Spec: SSL2_DES_192_EDE3_CBC_WITH_MD5 (0x0700c0)
            Cipher Spec: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x0000ff)
        Challenge

it even falls back to SSL3 and SSL2 if the server rejects connections:

Secure Sockets Layer
    SSLv2 Record Layer: Client Hello
        [Version: SSL 2.0 (0x0002)]
        Length: 46
        Handshake Message Type: Client Hello (1)
        Version: SSL 3.0 (0x0300)
        Cipher Spec Length: 21
        Session ID Length: 0
        Challenge Length: 16
        Cipher Specs (7 specs)
            Cipher Spec: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x00000a)
            Cipher Spec: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x000013)
            Cipher Spec: TLS_RSA_WITH_RC4_128_SHA (0x000005)
            Cipher Spec: TLS_RSA_WITH_RC4_128_MD5 (0x000004)
            Cipher Spec: SSL2_RC4_128_WITH_MD5 (0x010080)
            Cipher Spec: SSL2_DES_192_EDE3_CBC_WITH_MD5 (0x0700c0)
            Cipher Spec: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x0000ff)
        Challenge

Secure Sockets Layer
    SSLv2 Record Layer: Client Hello
        [Version: SSL 2.0 (0x0002)]
        Length: 34
        Handshake Message Type: Client Hello (1)
        Version: SSL 2.0 (0x0002)
        Cipher Spec Length: 9
        Session ID Length: 0
        Challenge Length: 16
        Cipher Specs (3 specs)
            Cipher Spec: SSL2_RC4_128_WITH_MD5 (0x010080)
            Cipher Spec: SSL2_DES_192_EDE3_CBC_WITH_MD5 (0x0700c0)
            Cipher Spec: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x0000ff)
        Challenge

I also wonder why it keeps sending TLS_EMPTY_RENEGOTIATION_INFO_SCSV instead of TLS_FALLBACK_SCSV. Other TLS 1.0 clients also send a handshake indicator prior to the Client Hello:

Secure Sockets Layer
    TLSv1 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 157
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 153
            Version: TLS 1.0 (0x0301)
...

• Edited by ManServ Friday, February 27, 2015 2:02 PM Additional protocol information

The client also doesn't support Unicode Supplementary characters and is vulnerable to Denial of Service attacks.

Steps to reproduce:

1.) Connect to a webDAV share with Windows explorer

2.) Try to access a folder which contains filenames or directories with Unicode supplementary characters in their names. Other users can upload such files to prevent Windows webDAV clients from accessing it.

3.) Instead of the folder contents an error message is displayed:

According to http://www.microsoft.com/Language/en-US/Search.aspx the original message is:

%2!ls! is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.\n\n%1!ls! Wrong Parameter.

Auf %2!ls! kann nicht zugegriffen werden. Sie haben eventuell keine Berechtigung, diese Netzwerkressource zu verwenden. Wenden Sie sich an den Administrator des Servers, um herauszufinden, ob Sie ber Berechtigungen verfgen.\n\n%1!ls! Falscher Parameter.

Hi,

Sorry for my dilatory reply. Based on my research, it seems like a known issue, I found a workaround method which provided in the link below. Now the method should be able to resolve TLS 1.2 compatibility problem with WebDAV, you can try its method for test:

https://social.technet.microsoft.com/Forums/windows/en-US/c66c3168-114d-4e03-afc2-27c466e41c99/does-windows-webdav-client-support-tls-connections?forum=w7itprogeneral

Hello Roger,

the workaround you've mentioned is about deprecating SSL3. It doesn't show how to enable TLS 1.2 in the Microsoft Windows webDAV Client. The Microsoft Windows webDAV client ignores SChannel settings. This command on a classic shell SHOULD but does NOT result in a TLS 1.2 "Client Hello" of the Microsoft Windows webDAV Client:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v Enabled /d 0x1 /t reg_dword

We don't have access to the many clients experiencing TLS connectivity problems due to the known issues you've mentioned. It is also a problem that changing such client settings requires administrative privileges.

As you can see from the Workaround you've mentioned changing server settings sometimes causes other incompatibilities.

Which of the mentioned issues is Microsoft aware of and which will be fixed when and in which Windows versions?

1.) lack of TLS 1.2 support
2.) lack of TLS Server Name Indication support
3.) lack of HTTP compression support
4.) nowadays also HTTP/2 support
5.) lack of Unicode supplementary character support
6.) Unicode supplementary character Denial of service vulnerability
7.) Probably TLS Protocol downgrade attack vulnerability

Any new insight?

It is still broken with the SChannel patch published yesterday: MS15-031 Vulnerability in Schannel Could Allow Security Feature Bypass (KB3046049)

Because of the custom SSL handling the Microsoft WebDAV Client might be vulnerable to SSL weaknesses such as the recent FREAK.

Any new insight?

It is still broken with the SChannel patch published yesterday: MS15-031 Vulnerability in Schannel Could Allow Security Feature Bypass (KB3046049)

Because of the custom SSL handling the Microsoft WebDAV Client might be vulnerable to SSL weaknesses such as the recent FREAK.

• Edited by ManServ Wednesday, March 11, 2015 1:36 PM Fix broken link

Hi all. It would really nice to know what is MS's response to this. All of our company WEBDAV servers (happens to be apache+debian) had been fine-tuned to support TLSv1.2 only, and now the accounting department has just lost all connectivity to their documents, due to this issue. We are planning to implement linux clients for the accounting too, I hope there will be a development on this webdav client in the very near future.

This is no fools' day joke: The SSL Client Hello hasn't been changed in the most recent Windows 10 build:

Any new updates on WebDAV client not being able to support TLS 1.1 and 1.2

PCI compliance is now failing with TLS 1.0 enabled, yet MS has yet to have a fix for WebDAV to support these protocols.

Really need a fix for this yesterday...

I don't have any news.

The latest public Windows 10 build 10074 doesn't behave different.

Roger Lu of Microsofts partner "Pactera" and according to his profile also "Microsoft Contingent Staff" hasn't replied for long now. I guess we shall continue to be paint.

The mentioned Denial of Service vulnerability hasn't been fixed for nearly 5 years now. Given this deedlessness I don't expect a short term fix for any of the problems.

I reported this via the "Windows Feedback" Program but it doesn't appear there. I posted it multiple times in different wording there. No success.

Regarding that: Other recommendations are also ignored by Microsoft:

https://tools.ietf.org/html/rfc7525

https://www.bsi.bund.de/DE/Publikationen/TechnischeRichtlinien/tr02102/index_htm.html (BSI TR-02102-2 Verwendung von Transport Layer Security)

https://www.ssllabs.com/projects/best-practices/ (SSL/TLS Deployment Best Practices)

By that Microsoft clearly puts customer infomation confidentiality at risk!