curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Problems with schannel support for CURLOPT_CAINFO

From: Ray Satiro via curl-library <>
Date: Fri, 1 Nov 2019 18:39:01 -0400

On 10/31/2019 7:11 AM, Richard Alcock via curl-library wrote:
> I'm hitting what I think is two problems using CURLOPT_CAINFO with the
> schannel backend.
> The issues stem from making requests concurrently from multiple
> threads specifing the same file in CURLOPT_CAINFO. If I run the code
> below on multiple threads concurrently, some number of them fail, and
> print out:
> "ERROR: Problem with the SSL CA cert (path? access rights?) -
> schannel: failed to open CA file '<path to PEM file>': Broken pipe"
> CURL *curl = curl_easy_init();
> char error[CURL_ERROR_SIZE];
> curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, error);
> curl_easy_setopt(curl, CURLOPT_FILE, nullptr);
> curl_easy_setopt(curl, CURLOPT_URL,"");
> curl_easy_setopt(curl, CURLOPT_CAINFO,"<path to PEM file>");
> int res = curl_easy_perform(curl);
> if (res != CURLE_OK) {
> std::cerr << "ERROR: " << curl_easy_strerror(res) << " - " <<
> std::string(error) << "\n";
> }
> curl_easy_cleanup(curl);
> I believe this is because in schannel_verify.c the ca_file provided in
> CURLOPT_CAINFO is opened (via CreateFile) with the (default) share
> mode of 0. From MSDN this "Prevents other processes from opening a
> file or device if they request delete, read, or write access." This is
> fixed by passing FILE_SHARE_READ to the call to CreateFile. Any reason
> why the "no sharing allowed" mode was chosen here instead?

It's a bug and I didn't catch it during review. Fix just landed [1].

> The second issue is in how the Windows error is converted to a string.
> I believe when CreateFile fails GetLastError is returning 32
> (ERROR_SHARING_VIOLATION) but the string version is "Broken Pipe"
> which suggests POSIX errno is being used rather than Windows errors.
> This is Curl_strerror which is used widely, so not sure of
> consequences of making a change there. Any thoughts?

I opened issue #4550 [2] based on your report.



Received on 2019-11-01