From d274bbe8281c6ed98cf932e74912381e6c561105 Mon Sep 17 00:00:00 2001 From: IhorKarpenko Date: Thu, 23 Aug 2018 14:18:17 +0300 Subject: [PATCH] The reasons for this change: 1) Using CERT_STORE_OPEN_EXISTING_FLAG ( or CERT_STORE_READONLY_FLAG ) while opening certificate store would be sufficient in this scenario and less-demanding in sense of required user credentials ( for example, IIS_IUSRS will get "Access Denied" 0x05 error for existing CertOpenStore call without any of flags mentioned above ), 2) as 'cert_store_name' is a DWORD, attempt to format its value like a string ( in "Failed to open cert store" error message ) will throw null pointer exception 3) adding GetLastError(), in my opinion, will make error message more useful. --- lib/vtls/schannel.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c index ebd1c1c04..14d7ef2f0 100644 --- a/lib/vtls/schannel.c +++ b/lib/vtls/schannel.c @@ -604,10 +604,10 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) cert_store = CertOpenStore(CURL_CERT_STORE_PROV_SYSTEM, 0, (HCRYPTPROV)NULL, - cert_store_name, cert_store_path); + CERT_STORE_OPEN_EXISTING_FLAG | cert_store_name, cert_store_path); if(!cert_store) { - failf(data, "schannel: Failed to open cert store %s %s", - cert_store_name, cert_store_path); + failf(data, "schannel: Failed to open cert store %x %s, last error is %x", + cert_store_name, cert_store_path, GetLastError() ); Curl_unicodefree(cert_path); return CURLE_SSL_CONNECT_ERROR; } -- 2.18.0.windows.1