Let me start by stating up front that I do not profess to have any expertise in this area. This is just something I noticed while I was spelunking some code and understanding the why's would help me a lot. So if what I am saying is flawed please point it out.
Consider my test website https://shibboleth.net/downloads/ . It is protected by a cert which is signed by a LetsEncrypt cert which is signed by someone else. All fine. If I capture these three certificates into their own pem files (endentity.pem, intermediate.pem, root.pem) and try the following three commands on Unix it all works as I expect curl --cacert endentity.pem https://shibboleth.net/downloads/ curl --cacert intermediate.pem https://shibboleth.net/downloads/ curl --cacert root.pem https://shibboleth.net/downloads/ in all three cases Curl/OpenSSl checks that the provided cert is in the chain somewhere and all is good according the PKIX spec and hey presto the web page is printed to stdout. On Windows it is different. The last line (where I specify the root cert) works, but the other two fail > curl --cacert endentity.pem https://shibboleth.net/downloads/ > curl: (60) schannel: CertGetCertificateChain trust error > CERT_TRUST_IS_UNTRUSTED_ROOT > More details here: https://curl.se/docs/sslcerts.html I can see in the code absolutely why this fails - it's to do with some very funky restrictions with how you are allowed to configure your HCERTCHAINENGINE (schannel-verify line 667 or thereabouts). But this seems to work against the PKIX rules (according to my limited understanding of them). What I don't understand is why this isn't a bigger deal and how I should go about setting things up so that I can restrict my curl connections to a specific certificate or only those signed by specific CA, not pretty much everyone in the whole world. Additionally I'll observe that the curl code only ever inspects the first cert chain presented. I don't know if this matters, but it would seem to argue that cross signing certificates might be problematic. Thanks -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
