Sure, but I somehow refuse to believe that it should really be impossible to connect to a simple https:// site with Schannel on Windows 7. I mean, this is basic functionality, this just *has to* work...
On 04.01.2019 at 18:26 Salisbury, Mark wrote: > > > > I’m running Windows 10. There’s got to be some differences > (appears to be improvements in this case) in Schannel from Windows 7 to > Windows 10. > > > > -Mark > > > > > > From: Andreas Falkenhahn <andr...@falkenhahn.com> > Sent: Friday, January 4, 2019 10:14 AM > To: Salisbury, Mark <mark.salisb...@hp.com> > Cc: libcurl development <curl-library@cool.haxx.se> > Subject: Re: schannel: next InitializeSecurityContext failed: Unknown error > > > > Unfortunately, the problem persists here. In the meantime I've made > some further tests and I've found out that the problem happens only > on my Windows 7 machine. On my Windows 10 machine both sites work > just fine, like on your system. But on my Windows 7 machine the > *.de site works, but the *.com site doesn't. This is really > confusing me, especially because the CRL distribution point for both > sites is the same. I haven't got the slightest idea how to fix this :-/ > > On 04.01.2019 at 18:04 Salisbury, Mark wrote: > >> This error message is actually pretty helpful: >> Trying https://www.hollywood-mal.de/ OK! >> Trying https://www.hollywood-mal.com/ FAIL: 35 schannel: next >> InitializeSecurityContext failed: Unknown error (0x80092013) - Die >> Sperrfunktion konnte die Sperrung nicht überprüfen, da der >> Sperrserver offline war. (NB: In English the error is probably >> "schannel: next InitializeSecurityContext failed: Unknown error >> (0x80092013) - The revocation function was unable to check >> revocation because the revocation server was offline.") >> I checked the CRL distribution point for both sites (you can see >> this info in the details of the site’s certificate), it’s the same: >> [1]CRL Distribution Point >> Distribution Point Name: >> Full Name: >> URL=http://crl.starfieldtech.com/sfig2s1-103.crl >> I copied your code, compiled it, and tested it: >> C:\Users\MASALI1\source\repos\Debug>curl-test.exe >> Trying https://www.hollywood-mal.de/ OK! >> Trying https://www.hollywood-mal.com/ OK! >> So it looks like it was a temporary problem. Is the problem continuing for >> you? >> Thanks, >> Mark >> Here are a couple pages to help understand certificate revocation checks: >> >> https://blogs.msdn.microsoft.com/ieinternals/2011/04/07/understanding-certificate-revocation-checks/ >> >> https://www.digicert.com/util/utility-test-ocsp-and-crl-access-from-a-server.htm >> From: curl-library <curl-library-boun...@cool.haxx.se> On Behalf Of >> Andreas Falkenhahn via curl-library >> Sent: Friday, January 4, 2019 5:31 AM >> To: curl-library@cool.haxx.se >> Cc: Andreas Falkenhahn <andr...@falkenhahn.com> >> Subject: schannel: next InitializeSecurityContext failed: Unknown error >> I know people have had problems with this before and I did my >> googling about it, but I don't really understand how to solve this >> problem because in my case it's particularly weird. Consider this little >> snippet: >> static void tryconnect(const char *address) >> { >> CURL *curl = curl_easy_init(); >> CURLcode res; >> char buf[CURL_ERROR_SIZE]; >> curl_easy_setopt(curl, CURLOPT_URL, address); >> curl_easy_setopt(curl, CURLOPT_CONNECT_ONLY, 1); >> curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, buf); >> printf("Trying %s ", address); >> if(!(res = curl_easy_perform(curl))) { >> printf("OK!\n"); >> } else { >> printf("FAIL: %d %s\n", res, buf); >> } >> curl_easy_cleanup(curl); >> } >> int main(int argc, char *argv[]) >> { >> curl_global_init(CURL_GLOBAL_DEFAULT); >> tryconnect("https://www.hollywood-mal.de/";); --> works! >> tryconnect("https://www.hollywood-mal.com/";); --> fails with schannel error >> curl_global_cleanup(); >> return 0; >> } >> Why on earth does https://www.hollywood-mal.de/ work fine and >> https://www.hollywood-mal.com/ doesn't work at all? I'm the owner of >> both domains and they are hosted by the very same company with the >> very same settings, yet one works, and the other one doesn't. Of >> course, in a browser both work fine, but with curl only the *.de one works, >> the *.com one fails. >> This is the output: >> Trying https://www.hollywood-mal.de/ OK! >> Trying https://www.hollywood-mal.com/ FAIL: 35 schannel: next >> InitializeSecurityContext failed: Unknown error (0x80092013) - Die >> Sperrfunktion konnte die Sperrung nicht überprüfen, da der >> Sperrserver offline war. (NB: In English the error is probably >> "schannel: next InitializeSecurityContext failed: Unknown error >> (0x80092013) - The revocation function was unable to check >> revocation because the revocation server was offline.") >> How can I solve this please? Some people seem to be suggesting to >> use the OpenSSL backend instead of schannel but is this really the >> only way to go? Isn't this possible with in-house Windows solutions? >> I'm on curl 7.57.0, Windows 7, x64. >> Thanks for ideas! >> -- >> Best regards, >> Andreas Falkenhahn mailto:andr...@falkenhahn.com >> ------------------------------------------------------------------- >> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library >> Etiquette: https://curl.haxx.se/mail/etiquette.html > > > -- > Best regards, > Andreas Falkenhahn mailto:andr...@falkenhahn.com > -- Best regards, Andreas Falkenhahn mailto:andr...@falkenhahn.com ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
