cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] schannel: Add support for optional client certificates

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 11 Jun 2015 16:00:44 -0400

On 6/5/2015 4:53 PM, Joel DePooter wrote:
> I've made the attached patch, which allows curl with schannel to
> connect to servers which request a client certificate, but do not
> require it. With this change, when a server requests a client
> certificate, curl will now continue the handshake without one. If the
> client certificate is mandatory, the server will terminate the
> connection. Otherwise, if the certificate is optional, the handshake
> will continue. Prior to this change, curl would always terminate the
> connection, with a SEC_I_INCOMPLETE_CREDENTIALS error. Some minimal
> testing indicates that the problem does not occur when using OpenSSL
> as the SSL backend.
>
> See these links for a description of the fix:
> https://groups.google.com/d/msg/microsoft.public.platformsdk.security/lb-9guU8-D8/tgBBECWKyLYJ
> https://groups.google.com/d/msg/microsoft.public.platformsdk.security/gKEz2o6nHOI/vfROf7ePq_0J
>
> This can be tested using Apache/mod_ssl, by setting the
> SSLVerifyClient directive to 'optional'. IIS can also be configured to
> request a client certificate, but not require it. There is no test
> case attached to this commit.

Thanks I could reproduce that here. Landed in
https://github.com/bagder/curl/commit/a3e5a43

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-06-11