curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: schannel - The revocation function was unable to check revocation for the certificate

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Sat, 2 Mar 2019 01:21:16 -0500

On 2/28/2019 12:50 PM, Vincas Razma via curl-library wrote:
>
> I have configured CURL to use WinSSL (schannel), and it does trust
> system trusted CAs just fine (that was the goal). However, one user
> has proxy configuration, where it acts as man-in-the-middle. Such
> configuration in general works just fine with our CURL lib build, and
> proxy provided certificates do look ok. Windows does trust their root
> CA certificate, and every other software is able to also verify proxy
> generated certificates (browsers, .NET apps, etc.).
>
>  
>
> Certificate path looks something like this:
>
> User root CA
>
>     User intermediate CA
>
>          *.ourservice.com
>
>  
>
> Only “User intermediate CA” contains CRL distribution points, those
> are working. “User root CA” is trusted by OS.
>
>  
>
> However, we get this logged by CURL:
>
> schannel: next InitializeSecurityContext failed: Unknown error
> (0x80092012) - The revocation function was unable to check revocation
> for the certificate
>
>  
>
> Trusting “User intermediate CA” in Windows did not help also.
>
>  
>
> There is not many leads, but maybe anyone has any hint what could have
> gone wrong?
>

curl does revocation checking by default when schannel is used as the
ssl backend. It's possible the other applications are working because
they do not do revocation checking by default. I suggest use certutil to
examine the certificate and see if it shows as revoked. certutil -f
-urlfetch -verify cert.crt

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-03-02