Hello all, I've made the attached patch, which allows curl with schannel to connect to servers which request a client certificate, but do not require it. With this change, when a server requests a client certificate, curl will now continue the handshake without one. If the client certificate is mandatory, the server will terminate the connection. Otherwise, if the certificate is optional, the handshake will continue. Prior to this change, curl would always terminate the connection, with a SEC_I_INCOMPLETE_CREDENTIALS error. Some minimal testing indicates that the problem does not occur when using OpenSSL as the SSL backend.
See these links for a description of the fix: https://groups.google.com/d/msg/microsoft.public.platformsdk.security/lb-9guU8-D8/tgBBECWKyLYJ https://groups.google.com/d/msg/microsoft.public.platformsdk.security/gKEz2o6nHOI/vfROf7ePq_0J This can be tested using Apache/mod_ssl, by setting the SSLVerifyClient directive to 'optional'. IIS can also be configured to request a client certificate, but not require it. There is no test case attached to this commit. Thanks, Joel Depooter [email protected]
0001-schannel-Add-support-for-optional-client-certificate.patch
Description: Binary data
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
