You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Context : we have a unit test that is using libCurl built with OpenSSL. We recently changed the SSL backend to WinSSL (SChannel), and one of our unit tests broke. The following is what the unit test is essentially doing, and what is wrong.
Notice here that the method only looks at index 0 in the array, that is the first certificate.
It worked well with OpenSSL for many years.
However it appears that with SChannel, the order of the certificates in the chain is reversed.
With OpenSSL, the peer is the first index, while with SChannel it is the last.
OpenSSL is following an RFC.
Ref: https://curl.haxx.se/mail/lib-2018-10/0099.html
While SChannel "Finds a certificate context that contains the end certificate supplied by the server."
Ref: https://docs.microsoft.com/en-us/windows/win32/api/sspi/nf-sspi-querycontextattributesexa
I expected the following
I expected that the order of the certificates would be the same when changing the backend. I suggest using the OpenSSL order, i.e. the peer certificate first as it is detailed in an RFC and this order has been in the code base for longer than SChannel.
Suggestion
File : lib/vtls/schannel.c
the method add_cert_to_certinfo should be modified. We could add to Adder_args the total number of certificates, and inside add_cert_to_certinfo instead of passing (args->idx)++, then pass total_certs -1 - (args->idx)++. Ok I admit this last one is hard to read, but the idea is "total - currentIndex".
curl/libcurl version
7.65.1
[curl -V output]
operating system
Windows 10, version 1903.
The text was updated successfully, but these errors were encountered:
I did this
Context : we have a unit test that is using libCurl built with OpenSSL. We recently changed the SSL backend to WinSSL (SChannel), and one of our unit tests broke. The following is what the unit test is essentially doing, and what is wrong.
Notice here that the method only looks at index 0 in the array, that is the first certificate.
It worked well with OpenSSL for many years.
However it appears that with SChannel, the order of the certificates in the chain is reversed.
With OpenSSL, the peer is the first index, while with SChannel it is the last.
OpenSSL is following an RFC.
Ref: https://curl.haxx.se/mail/lib-2018-10/0099.html
While SChannel "Finds a certificate context that contains the end certificate supplied by the server."
Ref: https://docs.microsoft.com/en-us/windows/win32/api/sspi/nf-sspi-querycontextattributesexa
I expected the following
I expected that the order of the certificates would be the same when changing the backend. I suggest using the OpenSSL order, i.e. the peer certificate first as it is detailed in an RFC and this order has been in the code base for longer than SChannel.
Suggestion
File : lib/vtls/schannel.c
the method
add_cert_to_certinfo
should be modified. We could add toAdder_args
the total number of certificates, and insideadd_cert_to_certinfo
instead of passing(args->idx)++
, then passtotal_certs -1 - (args->idx)++
. Ok I admit this last one is hard to read, but the idea is "total - currentIndex".curl/libcurl version
7.65.1
[curl -V output]
operating system
Windows 10, version 1903.
The text was updated successfully, but these errors were encountered: