Download
Browse source Changelog
Documentation
Project   Bug Bounty   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users Mailing lists Book: Everything curl Video presentations Report a bug Paid support
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Problems with schannel support for CURLOPT_CAINFO

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Fri, 1 Nov 2019 18:39:01 -0400

On 10/31/2019 7:11 AM, Richard Alcock via curl-library wrote:
> I'm hitting what I think is two problems using CURLOPT_CAINFO with the
> schannel backend.
>
> The issues stem from making requests concurrently from multiple
> threads specifing the same file in CURLOPT_CAINFO. If I run the code
> below on multiple threads concurrently, some number of them fail, and
> print out:
>
> "ERROR: Problem with the SSL CA cert (path? access rights?) -
> schannel: failed to open CA file '<path to PEM file>': Broken pipe"
>
> CURL *curl = curl_easy_init();
> char error[CURL_ERROR_SIZE];
> curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, error);
> curl_easy_setopt(curl, CURLOPT_FILE, nullptr);
> curl_easy_setopt(curl, CURLOPT_URL,"https://example.com/");
> curl_easy_setopt(curl, CURLOPT_CAINFO,"<path to PEM file>");
> int res = curl_easy_perform(curl);
> if (res != CURLE_OK) {
> std::cerr << "ERROR: " << curl_easy_strerror(res) << " - " <<
> std::string(error) << "\n";
> }
> curl_easy_cleanup(curl);
>
> I believe this is because in schannel_verify.c the ca_file provided in
> CURLOPT_CAINFO is opened (via CreateFile) with the (default) share
> mode of 0. From MSDN this "Prevents other processes from opening a
> file or device if they request delete, read, or write access." This is
> fixed by passing FILE_SHARE_READ to the call to CreateFile. Any reason
> why the "no sharing allowed" mode was chosen here instead?

It's a bug and I didn't catch it during review. Fix just landed [1].

> The second issue is in how the Windows error is converted to a string.
> I believe when CreateFile fails GetLastError is returning 32
> (ERROR_SHARING_VIOLATION) but the string version is "Broken Pipe"
> which suggests POSIX errno is being used rather than Windows errors.
> This is Curl_strerror which is used widely, so not sure of
> consequences of making a change there. Any thoughts?

I opened issue #4550 [2] based on your report.

Thanks

[1]: https://github.com/curl/curl/commit/9c49824
[2]: https://github.com/curl/curl/issues/4550

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-11-01