On 2/28/2019 12:50 PM, Vincas Razma via curl-library wrote: > > I have configured CURL to use WinSSL (schannel), and it does trust > system trusted CAs just fine (that was the goal). However, one user > has proxy configuration, where it acts as man-in-the-middle. Such > configuration in general works just fine with our CURL lib build, and > proxy provided certificates do look ok. Windows does trust their root > CA certificate, and every other software is able to also verify proxy > generated certificates (browsers, .NET apps, etc.). > > > > Certificate path looks something like this: > > User root CA > > User intermediate CA > > *.ourservice.com > > > > Only “User intermediate CA” contains CRL distribution points, those > are working. “User root CA” is trusted by OS. > > > > However, we get this logged by CURL: > > schannel: next InitializeSecurityContext failed: Unknown error > (0x80092012) - The revocation function was unable to check revocation > for the certificate > > > > Trusting “User intermediate CA” in Windows did not help also. > > > > There is not many leads, but maybe anyone has any hint what could have > gone wrong? >
curl does revocation checking by default when schannel is used as the ssl backend. It's possible the other applications are working because they do not do revocation checking by default. I suggest use certutil to examine the certificate and see if it shows as revoked. certutil -f -urlfetch -verify cert.crt
------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
