Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Changes I had to make to libcurl sources for Windows mutual auth to work
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Ray Satiro via curl-library <curl-library_at_lists.haxx.se>
Date: Sat, 16 Apr 2022 02:56:51 -0400
On 4/12/2022 5:56 PM, Tuomas Kaikkonen via curl-library wrote:
> I had to comment out few lines that check Windows NT version number in
> order to get curl mutual auth to work with 90m/CAC cards (Windows
> certificates).
>
> Without this change, the curl would close TLS connection after sending
> only partial data response to all my requests to the IIS.
> I suspect the curlx_verify_windows_version(5, 0, 0, PLATFORM_WINNT,
> VERSION_EQUAL) is the culprit.
> I run curl lib on Windows 10 Professional.
>
> This is the change I made to curl 7.81.0 sources:
>
> diff --git a/3rdparty/curl/7.81.0/lib/vtls/schannel.c
> b/3rdparty/curl/7.81.0/lib/vtls/schannel.c
> index 0a8e60610d..bd75256c21 100644
> --- a/3rdparty/curl/7.81.0/lib/vtls/schannel.c
> +++ b/3rdparty/curl/7.81.0/lib/vtls/schannel.c
> @@ -2052,10 +2052,11 @@ schannel_recv(struct Curl_easy *data, int
> sockindex,
> */
> if(len && !backend->decdata_offset &&
> backend->recv_connection_closed &&
> !backend->recv_sspi_close_notify) {
> - bool isWin2k = curlx_verify_windows_version(5, 0, 0, PLATFORM_WINNT,
> - VERSION_EQUAL);
> -
> - if(isWin2k && sspi_status == SEC_E_OK)
> + //bool isWin2k = curlx_verify_windows_version(5, 0, 0,
> PLATFORM_WINNT,
> + // VERSION_EQUAL);
> + //
> + //if(isWin2k && sspi_status == SEC_E_OK)
> + if (sspi_status == SEC_E_OK) /* TPS TKKZZZ */
> backend->recv_sspi_close_notify = true;
> else {
> *err = CURLE_RECV_ERROR;
Your change signals that TLS close notify alert was received even when
it wasn't. That is a hack we have only for Windows 2000 and I don't even
know who would be using that anymore. Most likely your server isn't
shutting down the connection properly which is why you don't receive the
close notify. On the other hand there could be a bug where curl fails to
detect the close notify. You'd have to use a tool like Wireshark to
determine how the connection ends.
Date: Sat, 16 Apr 2022 02:56:51 -0400
On 4/12/2022 5:56 PM, Tuomas Kaikkonen via curl-library wrote:
> I had to comment out few lines that check Windows NT version number in
> order to get curl mutual auth to work with 90m/CAC cards (Windows
> certificates).
>
> Without this change, the curl would close TLS connection after sending
> only partial data response to all my requests to the IIS.
> I suspect the curlx_verify_windows_version(5, 0, 0, PLATFORM_WINNT,
> VERSION_EQUAL) is the culprit.
> I run curl lib on Windows 10 Professional.
>
> This is the change I made to curl 7.81.0 sources:
>
> diff --git a/3rdparty/curl/7.81.0/lib/vtls/schannel.c
> b/3rdparty/curl/7.81.0/lib/vtls/schannel.c
> index 0a8e60610d..bd75256c21 100644
> --- a/3rdparty/curl/7.81.0/lib/vtls/schannel.c
> +++ b/3rdparty/curl/7.81.0/lib/vtls/schannel.c
> @@ -2052,10 +2052,11 @@ schannel_recv(struct Curl_easy *data, int
> sockindex,
> */
> if(len && !backend->decdata_offset &&
> backend->recv_connection_closed &&
> !backend->recv_sspi_close_notify) {
> - bool isWin2k = curlx_verify_windows_version(5, 0, 0, PLATFORM_WINNT,
> - VERSION_EQUAL);
> -
> - if(isWin2k && sspi_status == SEC_E_OK)
> + //bool isWin2k = curlx_verify_windows_version(5, 0, 0,
> PLATFORM_WINNT,
> + // VERSION_EQUAL);
> + //
> + //if(isWin2k && sspi_status == SEC_E_OK)
> + if (sspi_status == SEC_E_OK) /* TPS TKKZZZ */
> backend->recv_sspi_close_notify = true;
> else {
> *err = CURLE_RECV_ERROR;
Your change signals that TLS close notify alert was received even when
it wasn't. That is a hack we have only for Windows 2000 and I don't even
know who would be using that anymore. Most likely your server isn't
shutting down the connection properly which is why you don't receive the
close notify. On the other hand there could be a bug where curl fails to
detect the close notify. You'd have to use a tool like Wireshark to
determine how the connection ends.
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2022-04-16