curl-library
Re: schannel: next InitializeSecurityContext failed: Unknown error (0x80092013) The revocation function was unable to check revocation because the revocation server was offline.
Date: Wed, 23 Mar 2016 12:45:53 -0400
On 3/23/2016 5:05 AM, Volker Schmid wrote:
> We use libCurl version 7.43.0 with schannel support for TLS. Some
> customers using a proxy are getting the following issue:
[...]
> 2016-03-22 14:20:13-1943 [4736]: VERB: CURL: schannel: next
> InitializeSecurityContext failed: Unknown error (0x80092013) - Die
> Sperrfunktion konnte die Sperrung nicht �berpr�fen, da der Sperrserver
> offline war.
> 2016-03-22 14:20:13-1944 [4736]: VERB: CURL: Closing connection 0
> 2016-03-22 14:20:13-1944 [4736]: VERB: CURL: schannel: shutting down
> SSL/TLS connection with pls2.regify.com port 443
> 2016-03-22 14:20:13-1944 [4736]: VERB: CURL: schannel: clear security
> context handle
> 2016-03-22 14:20:13-1945 [4736]: VERB: CURL: schannel: clear
> credential handle
> 2016-03-22 14:20:13-1945 [4736]: VERB: CURL: NTLM-proxy picked AND
> auth done set, clear picked!
>
> The translated error message is: The revocation function was unable to
> check revocation because the revocation server was offline.
>
> Any idea what's going on here? We tried to check if the proxy is
> blocking the calls to CRL servers, but we can not see such.
When curl is built with the WinSSL (schannel) SSL backend certificate
revocation checking is enabled by default and the checking is handled
automatically by the Windows OS, not by libcurl. Whatever proxy settings
you are using in libcurl will not be used to retrieve the revocation
resource, instead the OS will use its settings. Assuming those settings
are correct that error message usually means what it says, the
revocation server is offline. However I did once see that message when
there was no revocation resource in the CA certificate [1], but that's
very unusual unless the SSL traffic is being intercepted.
If you are unable to find the cause and your circumstances allow you can
disable revocation checking per session in curl w/ WinSSL by using
option --ssl-no-revoke [1] in curl >= 7.44 or by passing flag
CURLSSLOPT_NO_REVOKE to CURLOPT_SSL_OPTIONS [2] in libcurl >= 7.44.
[1]: https://github.com/curl/curl/issues/264
[2]: https://curl.haxx.se/docs/manpage.html#--ssl-no-revoke
[3]: https://curl.haxx.se/libcurl/c/CURLOPT_SSL_OPTIONS.html
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-03-23