cURL / Mailing Lists / curl-library / Single Mail


Re: schannel modifications for WinCE 6

From: Ben Sutcliffe <>
Date: Thu, 11 Sep 2014 08:57:00 -0400

On Thu, Sep 11, 2014 at 5:14 AM, Daniel Stenberg <> wrote:
> Yes thanks, that'd be great! I'm sure there is or will be other interested
> people.

Okay, attached a patch. I've never submitted one before, so let me know if
there are any issues. :) I also had to make some changes to
config-win32ce.h, but I'm assuming that's expected when building libcurl.

> RC4 is insecure. To the point where we've stopped using it in general, and
> it is being avoided universally where security and encryption are involved.
> See
> The main problem with completely disabling RC4 all over tends to involve
> old Windows installations, see
> archive/web/tls/current/msg11935.html
> So, you need to consider the alternatives. RC4 is known to be insecure,
> but possibly less bad than what other algorithms you can choose from!

From what I can tell, the WinCE 6 implementation of EncryptMessage() seems
to be generally broken when it concerns block ciphers, and RC4 is the only
cipher that I got to work...but I could be totally wrong here.
Unfortunately, I haven't found any other source to support my claim, so I
was hoping someone here had experience with schannel and WinCE 6. :)

Here's a list of the available ciphers for WinCE 6:

> - Fix an apparent bug in hostname verification for wildcard certs. For
>> *. from the cert, it was comparing "" instead of
>> "" against the server's hostname
> Oh, that's not just for the embedded version then is it? It sounds
> significant enough that it is strange that it hasn't already been
> reported...

The bug I found was in verify_certificate(), which is only used in the
WinCE implementation of schannel:

#ifdef _WIN32_WCE
  /* Windows CE doesn't do any server certificate validation.
     We have to do it manually. */
    return verify_certificate(conn, sockindex);

 - A few small mods to allow to libcurl to build for WinCE 6 (eg, use
>> send()/recv() instead of write()/read()).
> What? AFAIK, only minix uses write() and everything else uses send()
> already (and all internals do it with swrite() which is a macro that
> "hides" the real function being used). Am I wrong?

This one confused me as well. curlx_read() and curlx_write() were only
defined for Win32 and were implemented using read() and write().

Ben Sutcliffe

List admin:

Received on 2014-09-11