cURL / Mailing Lists / curl-library / Single Mail


Re: schannel and cacert verification

From: Marc Hoersken <>
Date: Thu, 14 Jun 2012 00:04:08 +0200

Hi there,

> -----Original Message-----
> From: [] On Behalf Of Daniel Stenberg
> Sent: Wednesday, June 13, 2012 3:18 PM
> To: libcurl hacking
> Subject: schannel and cacert verification
> Hi guys,
> Am I right when I assume that the new schannel code uses the Windows cert "store" when a server's SSL certificate gets verified?

2012/6/13 Salisbury, Mark <>:
> That's correct.
> Desktop windows has multiple cert stores - there is a machine store and a user store.  The user store is what you see when you open up the "Certificates" view from IE.  By default I think all code uses this store too.

yes, the current implementation uses the cert stores mentioned by
Mark. WinINET, WinHTTP, CryptoAPI, Schannel and all the other related
Windows Security libraries are able to use those by default if some
flags are specified.

Additionally it is also possible to add custom client certificate and
server certificate validation to those layers by using the lower-lever
functionality provided by CryptoAPI and related libraries. This is why
I added those features to the TODO list at the top of curl_schannel.c.

As shown in the other thread, Mark already started on the validation
feature as it is required for WinCE since the default validation
options are not available there.

Best regards,

List admin:
Received on 2012-06-14