cURL / Mailing Lists / curl-library / Single Mail


Re: [PATCH] schannel: Add support for optional client certificates

From: Ray Satiro via curl-library <>
Date: Thu, 11 Jun 2015 16:00:44 -0400

On 6/5/2015 4:53 PM, Joel DePooter wrote:
> I've made the attached patch, which allows curl with schannel to
> connect to servers which request a client certificate, but do not
> require it. With this change, when a server requests a client
> certificate, curl will now continue the handshake without one. If the
> client certificate is mandatory, the server will terminate the
> connection. Otherwise, if the certificate is optional, the handshake
> will continue. Prior to this change, curl would always terminate the
> connection, with a SEC_I_INCOMPLETE_CREDENTIALS error. Some minimal
> testing indicates that the problem does not occur when using OpenSSL
> as the SSL backend.
> See these links for a description of the fix:
> This can be tested using Apache/mod_ssl, by setting the
> SSLVerifyClient directive to 'optional'. IIS can also be configured to
> request a client certificate, but not require it. There is no test
> case attached to this commit.

Thanks I could reproduce that here. Landed in

List admin:
Received on 2015-06-11