Problems with schannel support for CURLOPT_CAINFO

I'm hitting what I think is two problems using CURLOPT_CAINFO with the
schannel backend.

The issues stem from making requests concurrently from multiple
threads specifing the same file in CURLOPT_CAINFO. If I run the code
below on multiple threads concurrently, some number of them fail, and
print out:

"ERROR: Problem with the SSL CA cert (path? access rights?) -
schannel: failed to open CA file '<path to PEM file>': Broken pipe"

CURL *curl = curl_easy_init();
char error[CURL_ERROR_SIZE];
curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, error);
curl_easy_setopt(curl, CURLOPT_FILE, nullptr);
curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
curl_easy_setopt(curl, CURLOPT_CAINFO,"<path to PEM file>");
int res = curl_easy_perform(curl);
if (res != CURLE_OK) {
     std::cerr << "ERROR: " << curl_easy_strerror(res) << " - " <<
std::string(error) << "\n";
}
curl_easy_cleanup(curl);

I believe this is because in schannel_verify.c the ca_file provided in
CURLOPT_CAINFO is opened (via CreateFile) with the (default) share
mode of 0. From MSDN this "Prevents other processes from opening a
file or device if they request delete, read, or write access." This is
fixed by passing FILE_SHARE_READ to the call to CreateFile. Any reason
why the "no sharing allowed" mode was chosen here instead?

The second issue is in how the Windows error is converted to a string.
I believe when CreateFile fails GetLastError is returning 32
(ERROR_SHARING_VIOLATION) but the string version is "Broken Pipe"
which suggests POSIX errno is being used rather than Windows errors.
This is Curl_strerror which is used widely, so not sure of
consequences of making a change there. Any thoughts?

-- 
Richard
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html