I'm working with libcurl 7.55.1 under Windows, using Windows SSPI and
Schannel, not OpenSSL.
In lib\vtls\schannel.c, line 635, the error handling is:
return sspi_status == SEC_E_UNTRUSTED_ROOT ?
CURLE_SSL_CACERT_BADFILE : CURLE_SSL_CONNECT_ERROR;
I think that CURLE_SSL_CACERT_BADFILE should be CURLE_SSL_CACERT instead,
since at this point there's no attempt to read a file set via the
CURLOPT_CAPATH option, and you get an error code that refers to the
certificate bundle when you haven't given Curl a certificate bundle. The
docs for CURLOPT_CAPATH say it doesn't work in Windows, and this code path
is (I think) Windows-specific, so I can't see how a certificate bundle would
ever be used in this scenario.
Because the real problem here is that the root is not trusted, the error
code of CURLE_SSL_CACERT seems to make more sense.
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
