cURL / Mailing Lists / curl-library / Single Mail

curl-library

[PATCH] schannel: Add support for optional client certificates

From: Joel DePooter <joel.depooter_at_safe.com>
Date: Fri, 5 Jun 2015 13:53:21 -0700

Hello all,

I've made the attached patch, which allows curl with schannel to
connect to servers which request a client certificate, but do not
require it. With this change, when a server requests a client
certificate, curl will now continue the handshake without one. If the
client certificate is mandatory, the server will terminate the
connection. Otherwise, if the certificate is optional, the handshake
will continue. Prior to this change, curl would always terminate the
connection, with a SEC_I_INCOMPLETE_CREDENTIALS error. Some minimal
testing indicates that the problem does not occur when using OpenSSL
as the SSL backend.

See these links for a description of the fix:
https://groups.google.com/d/msg/microsoft.public.platformsdk.security/lb-9guU8-D8/tgBBECWKyLYJ
https://groups.google.com/d/msg/microsoft.public.platformsdk.security/gKEz2o6nHOI/vfROf7ePq_0J

This can be tested using Apache/mod_ssl, by setting the
SSLVerifyClient directive to 'optional'. IIS can also be configured to
request a client certificate, but not require it. There is no test
case attached to this commit.

Thanks,
Joel Depooter
joel.depooter_at_safe.com

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

Received on 2015-06-05