subject:"RE\: schannel\: next InitializeSecurityContext failed\: Unknown error"

Re: schannel: next InitializeSecurityContext failed: Unknown error

2019-01-05 Thread Andreas Falkenhahn via curl-library

Ok, now it works here too and I didn't change a thing. Very strange. Yesterday
I tried it dozens of times (even side by side with my Windows 10 machine where
it always worked) and it never worked. So the problem is solved now but still
it's not exactly relieving to see this error just vanish... somewhat inside me
tells me that it can probably come back at any time :/

On 05.01.2019 at 11:48 Andreas Falkenhahn via curl-library wrote:

> Any idea where to look for that in Windows? But once again, if it were
> generelly impossible for Windows to contact the revocation servers it'd
> be pretty certain that it was a configuration/firewall/whatever issue.
> But the strange thing is that Windows can't contact the revocation servers
> *only* for specific domains, i.e. the *.de one works, but for the *.com one
> it can't contact the revocation server. But it's not as if *.com didn't
> work at all, e.g. https://www.paypal.com/ works fine, but for my *.com
> domain it doesn't work at all.

> BTW, I don't have any antivirus software on said Windows 7 machine and
> I also tried disabling the firewall altogether - all to no avail :/

> On 05.01.2019 at 00:50 Ray Satiro via curl-library wrote:

>> Works here as well. I suggest figure out why Windows can't  
>> contact the revocation servers. It's not curl that makes those  
>> connections. If you really have to disable revocation checking  
>> recent versions have --ssl-no-revoke [1] and CURLSSLOPT_NO_REVOKE

---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Re: schannel: next InitializeSecurityContext failed: Unknown error

2019-01-05 Thread Andreas Falkenhahn via curl-library

Any idea where to look for that in Windows? But once again, if it were
generelly impossible for Windows to contact the revocation servers it'd
be pretty certain that it was a configuration/firewall/whatever issue.
But the strange thing is that Windows can't contact the revocation servers
*only* for specific domains, i.e. the *.de one works, but for the *.com one
it can't contact the revocation server. But it's not as if *.com didn't
work at all, e.g. https://www.paypal.com/ works fine, but for my *.com
domain it doesn't work at all.

BTW, I don't have any antivirus software on said Windows 7 machine and
I also tried disabling the firewall altogether - all to no avail :/

On 05.01.2019 at 00:50 Ray Satiro via curl-library wrote:

> Works here as well. I suggest figure out why Windows can't  
> contact the revocation servers. It's not curl that makes those  
> connections. If you really have to disable revocation checking  
> recent versions have --ssl-no-revoke [1] and CURLSSLOPT_NO_REVOKE

-- 
Best regards,
 Andreas Falkenhahnmailto:andr...@falkenhahn.com

---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Re: schannel: next InitializeSecurityContext failed: Unknown error

2019-01-04 Thread Ray Satiro via curl-library

On 1/4/2019 12:04 PM, Salisbury, Mark via curl-library wrote:
>
> This error message is actually pretty helpful:
>
>  
>
> Trying https://www.hollywood-mal.de/  OK!
> Trying https://www.hollywood-mal.com/ 
> FAIL: 35 schannel: next InitializeSecurityContext failed: Unknown
> error (0x80092013) - Die Sperrfunktion konnte die Sperrung nicht
> überprüfen, da der Sperrserver offline war. (NB: In English the error
> is probably "schannel: next InitializeSecurityContext failed: Unknown
> error (0x80092013) - The revocation function was unable to check
> revocation because the revocation server was offline.")
>
>  
>
> I checked the CRL distribution point for both sites (you can see this
> info in the details of the site’s certificate), it’s the same:
>
>  
>
> [1]CRL Distribution Point
>
>  Distribution Point Name:
>
>   Full Name:
>
>    URL=http://crl.starfieldtech.com/sfig2s1-103.crl
>
>  
>
> I copied your code, compiled it, and tested it:
>
>  
>
> C:\Users\MASALI1\source\repos\Debug>curl-test.exe
>
> Trying https://www.hollywood-mal.de/ OK!
>
> Trying https://www.hollywood-mal.com/ OK!
>
>  
>
> So it looks like it was a temporary problem.  Is the problem
> continuing for you?
>

Works here as well. I suggest figure out why Windows can't contact the
revocation servers. It's not curl that makes those connections. If you
really have to disable revocation checking recent versions have
--ssl-no-revoke [1] and CURLSSLOPT_NO_REVOKE [2].

[1]: https://curl.haxx.se/docs/manpage.html#--ssl-no-revoke
[2]: https://curl.haxx.se/libcurl/c/CURLOPT_SSL_OPTIONS.html

---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Re: schannel: next InitializeSecurityContext failed: Unknown error

2019-01-04 Thread Andreas Falkenhahn via curl-library

Sure, but I somehow refuse to believe that it should really be impossible to 
connect to a simple https:// site with Schannel on Windows 7. I mean, this is 
basic functionality, this just *has to* work...

On 04.01.2019 at 18:26 Salisbury, Mark wrote:

>   
>  
>  
> I’m running Windows 10.  There’s got to be some differences
> (appears to be improvements in this case) in Schannel from Windows 7 to 
> Windows 10.
>  
>  
>  
> -Mark
>  
>  
>  
>  
>  
> From: Andreas Falkenhahn  
>  Sent: Friday, January 4, 2019 10:14 AM
>  To: Salisbury, Mark 
>  Cc: libcurl development 
>  Subject: Re: schannel: next InitializeSecurityContext failed: Unknown error
>
>  
>  
> Unfortunately, the problem persists here. In the meantime I've made
> some further tests and I've found out that the problem happens only
> on my Windows 7 machine. On my Windows 10 machine both sites work
> just fine, like on your system. But  on my Windows 7 machine the
> *.de site works, but the *.com site doesn't. This is really
> confusing me, especially because the CRL distribution point for both
> sites is the same. I haven't got the slightest idea how to fix this :-/
>  
>  On 04.01.2019 at 18:04 Salisbury, Mark wrote:
>  



 >> This error message is actually pretty helpful:



 >> Trying  https://www.hollywood-mal.de/ OK!
 >> Trying  https://www.hollywood-mal.com/ FAIL: 35 schannel: next
 >> InitializeSecurityContext failed: Unknown error (0x80092013) - Die
 >> Sperrfunktion konnte die Sperrung nicht überprüfen, da der
 >> Sperrserver offline war. (NB: In English the error is probably
 >> "schannel: next InitializeSecurityContext failed: Unknown error
 >> (0x80092013) - The revocation function was unable to check
 >> revocation because the revocation server was offline.")



 >> I checked the CRL distribution point for both sites (you can see
 >> this info in the details of the site’s certificate), it’s the same:



 >> [1]CRL Distribution Point

 >> Distribution Point Name:

 >> Full Name:

 >> URL=http://crl.starfieldtech.com/sfig2s1-103.crl



 >> I copied your code, compiled it, and tested it:



 >> C:\Users\MASALI1\source\repos\Debug>curl-test.exe

 >> Trying  https://www.hollywood-mal.de/ OK!

 >> Trying  https://www.hollywood-mal.com/ OK!



 >> So it looks like it was a temporary problem. Is the problem continuing for 
 >> you?



 >> Thanks,
 >> Mark



 >> Here are a couple pages to help understand certificate revocation checks:

 >>  
 >> https://blogs.msdn.microsoft.com/ieinternals/2011/04/07/understanding-certificate-revocation-checks/

 >>  
 >> https://www.digicert.com/util/utility-test-ocsp-and-crl-access-from-a-server.htm







 >> From: curl-library  On Behalf Of
 >> Andreas Falkenhahn via curl-library
 >> Sent: Friday, January 4, 2019 5:31 AM
 >> To: curl-library@cool.haxx.se
 >> Cc: Andreas Falkenhahn 
 >> Subject: schannel: next InitializeSecurityContext failed: Unknown error



 >> I know people have had problems with this before and I did my
 >> googling about it, but I don't really understand how to solve this
 >> problem because in my case it's particularly weird. Consider this little 
 >> snippet:

 >> static void tryconnect(const char *address)
 >> {
 >> CURL *curl = curl_easy_init();
 >> CURLcode res;
 >> char buf[CURL_ERROR_SIZE];

 >> curl_easy_setopt(curl, CURLOPT_URL, address);
 >> curl_easy_setopt(curl, CURLOPT_CONNECT_ONLY, 1);
 >> curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, buf);

 >> printf("Trying %s ", address); 
 >> if(!(res = curl_easy_perform(curl))) {
 >> printf("OK!\n");
 >> } else {
 >> printf("FAIL: %d %s\n", res, buf);
 >> }

 >> curl_easy_cleanup(curl);
 >> }

 >> int main(int argc, char *argv[])
 >> {
 >> curl_global_init(CURL_GLOBAL_DEFAULT);
 >> tryconnect("https://www.hollywood-mal.de/;); --> works!
 >> tryconnect("https://www.hollywood-mal.com/;); --> fails with schannel error
 >> curl_global_cleanup();
 >> return 0;
 >> }

 >> Why on earth does  https://www.hollywood-mal.de/ work fine and 
 >>  https://www.hollywood-mal.com/ doesn't work at all? I'm the owner of
 >> both domains and they are hosted by the very same company with the
 >> very same settings, yet one works, and the other one doesn't. Of
 >> course, in a browser both work fine, but with curl only the *.de one works, 
 >> the *.com one fails.

 >> This is the output:

 >> Trying  https://www.hollywood-mal.de/ OK!
 >> Trying  https://www.holly

Re: schannel: next InitializeSecurityContext failed: Unknown error

2019-01-04 Thread Andreas Falkenhahn via curl-library

Unfortunately, the problem persists here. In the meantime I've made some 
further tests and I've found out that the problem happens only on my Windows 7 
machine. On my Windows 10 machine both sites work just fine, like on your 
system. But on my Windows 7 machine the *.de site works, but the *.com site 
doesn't. This is really confusing me, especially because the CRL distribution 
point for both sites is the same. I haven't got the slightest idea how to fix 
this :-/

On 04.01.2019 at 18:04 Salisbury, Mark wrote:

>   
>  
>  
> This error message is actually pretty helpful:
>  
>  
>  
> Trying  https://www.hollywood-mal.de/ OK!
>  Trying  https://www.hollywood-mal.com/ FAIL: 35 schannel: next
> InitializeSecurityContext failed: Unknown error (0x80092013) - Die
> Sperrfunktion konnte die Sperrung nicht überprüfen, da der
> Sperrserver offline war. (NB: In English the error is probably
> "schannel:  next InitializeSecurityContext failed: Unknown error
> (0x80092013) - The revocation function was unable to check
> revocation because the revocation server was offline.")
>  
>  
>  
> I checked the CRL distribution point for both sites (you can see
> this info in the details of the site’s certificate), it’s the same:
>  
>  
>  
> [1]CRL Distribution Point
>  
>  Distribution Point Name:
>  
>   Full Name:
>  
>URL=http://crl.starfieldtech.com/sfig2s1-103.crl
>  
>  
>  
> I copied your code, compiled it, and tested it:
>  
>  
>  
> C:\Users\MASALI1\source\repos\Debug>curl-test.exe
>  
> Trying https://www.hollywood-mal.de/ OK!
>  
> Trying https://www.hollywood-mal.com/ OK!
>  
>  
>  
> So it looks like it was a temporary problem.  Is the problem continuing for 
> you?
>  
>  
>  
> Thanks,
>  Mark
>  
>  
>  
> Here are a couple pages to help understand certificate revocation checks:
>  
> https://blogs.msdn.microsoft.com/ieinternals/2011/04/07/understanding-certificate-revocation-checks/
>  
> https://www.digicert.com/util/utility-test-ocsp-and-crl-access-from-a-server.htm
>  
>  
>  
>  
>  
>  
>  
> From: curl-library  On Behalf Of
> Andreas Falkenhahn via curl-library
>  Sent: Friday, January 4, 2019 5:31 AM
>  To: curl-library@cool.haxx.se
>  Cc: Andreas Falkenhahn 
>  Subject: schannel: next InitializeSecurityContext failed: Unknown error
>
>  
>  
> I know people have had problems with this before and I did my
> googling about it, but I don't really understand how to solve this
> problem because in my case it's particularly weird. Consider this little 
> snippet:
>  
>  static void tryconnect(const char *address)
>  {
>  CURL *curl = curl_easy_init();
>  CURLcode res;
>  char buf[CURL_ERROR_SIZE];
>  
>  curl_easy_setopt(curl, CURLOPT_URL, address);
>  curl_easy_setopt(curl, CURLOPT_CONNECT_ONLY, 1);
>  curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, buf);
>  
>  printf("Trying %s ", address); 
>  if(!(res = curl_easy_perform(curl))) {
>  printf("OK!\n");
>  } else {
>  printf("FAIL: %d %s\n", res, buf);
>  }
>  
>  curl_easy_cleanup(curl);
>  }
>  
>  int main(int argc, char *argv[])
>  {
>  curl_global_init(CURL_GLOBAL_DEFAULT);
>  tryconnect("https://www.hollywood-mal.de/;); --> works!
>  tryconnect("https://www.hollywood-mal.com/;); --> fails with schannel error
>  curl_global_cleanup();
>  return 0;
>  }
>  
>  Why on earth does  https://www.hollywood-mal.de/ work fine and 
> https://www.hollywood-mal.com/ doesn't work at all? I'm the owner of
> both domains and they are hosted by the very same company with the
> very same settings, yet one works, and the other one doesn't. Of
> course, in a browser both work fine, but with curl only  the *.de one works, 
> the *.com one fails.
>  
>  This is the output:
>  
>  Trying  https://www.hollywood-mal.de/ OK!
>  Trying  https://www.hollywood-mal.com/ FAIL: 35 schannel: next
> InitializeSecurityContext failed: Unknown error (0x80092013) - Die
> Sperrfunktion konnte die Sperrung nicht überprüfen, da der
> Sperrserver offline war. (NB: In English the error is probably
> "schannel:  next InitializeSecurityContext failed: Unknown error
> (0x80092013) - The revocation function was unable to check
> revocation because the revocation server was offline.")
>  
>  How can I solve this please? Some people seem to be suggesting to
> use the OpenSSL backend instead of schannel but is this really the
> only way to go? Isn't this possible with in-house Windows solutions?
>  
>  I'm on curl 7.57.0, Windows 7, x64.
>  
>  Thanks for ideas!
>  
>  -- 
>  Best regards,
>  Andreas Falkenhahn mailto:andr...@falkenhahn.com
>  
>  
>  ---
>  Unsubscribe:  https://cool.haxx.se/list/listinfo/curl-library
>  Etiquette:  https://curl.haxx.se/mail/etiquette.html
>


-- 
Best regards,
 Andreas Falkenhahnmailto:andr...@falkenhahn.com


---
Unsubscribe:

RE: schannel: next InitializeSecurityContext failed: Unknown error

2019-01-04 Thread Salisbury, Mark via curl-library

This error message is actually pretty helpful:

Trying https://www.hollywood-mal.de/ OK!
Trying https://www.hollywood-mal.com/ FAIL: 35 
schannel: next InitializeSecurityContext failed: Unknown error (0x80092013) - 
Die Sperrfunktion konnte die Sperrung nicht überprüfen, da der Sperrserver 
offline war. (NB: In English the error is probably "schannel: next 
InitializeSecurityContext failed: Unknown error (0x80092013) - The revocation 
function was unable to check revocation because the revocation server was 
offline.")

I checked the CRL distribution point for both sites (you can see this info in 
the details of the site’s certificate), it’s the same:

[1]CRL Distribution Point
 Distribution Point Name:
  Full Name:
   URL=http://crl.starfieldtech.com/sfig2s1-103.crl

I copied your code, compiled it, and tested it:

C:\Users\MASALI1\source\repos\Debug>curl-test.exe
Trying https://www.hollywood-mal.de/ OK!
Trying https://www.hollywood-mal.com/ OK!

So it looks like it was a temporary problem.  Is the problem continuing for you?

Thanks,
Mark

Here are a couple pages to help understand certificate revocation checks:
https://blogs.msdn.microsoft.com/ieinternals/2011/04/07/understanding-certificate-revocation-checks/
https://www.digicert.com/util/utility-test-ocsp-and-crl-access-from-a-server.htm


From: curl-library  On Behalf Of Andreas 
Falkenhahn via curl-library
Sent: Friday, January 4, 2019 5:31 AM
To: curl-library@cool.haxx.se
Cc: Andreas Falkenhahn 
Subject: schannel: next InitializeSecurityContext failed: Unknown error

I know people have had problems with this before and I did my googling about 
it, but I don't really understand how to solve this problem because in my case 
it's particularly weird. Consider this little snippet:

static void tryconnect(const char *address)
{
CURL *curl = curl_easy_init();
CURLcode res;
char buf[CURL_ERROR_SIZE];

curl_easy_setopt(curl, CURLOPT_URL, address);
curl_easy_setopt(curl, CURLOPT_CONNECT_ONLY, 1);
curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, buf);

printf("Trying %s ", address);
if(!(res = curl_easy_perform(curl))) {
printf("OK!\n");
} else {
printf("FAIL: %d %s\n", res, buf);
}

curl_easy_cleanup(curl);
}

int main(int argc, char *argv[])
{
curl_global_init(CURL_GLOBAL_DEFAULT);
tryconnect("https://www.hollywood-mal.de/"); --> 
works!
tryconnect("https://www.hollywood-mal.com/"); 
--> fails with schannel error
curl_global_cleanup();
return 0;
}

Why on earth does https://www.hollywood-mal.de/ 
work fine and https://www.hollywood-mal.com/ 
doesn't work at all? I'm the owner of both domains and they are hosted by the 
very same company with the very same settings, yet one works, and the other one 
doesn't. Of course, in a browser both work fine, but with curl only the *.de 
one works, the *.com one fails.

This is the output:

Trying https://www.hollywood-mal.de/ OK!
Trying https://www.hollywood-mal.com/ FAIL: 35 
schannel: next InitializeSecurityContext failed: Unknown error (0x80092013) - 
Die Sperrfunktion konnte die Sperrung nicht überprüfen, da der Sperrserver 
offline war. (NB: In English the error is probably "schannel: next 
InitializeSecurityContext failed: Unknown error (0x80092013) - The revocation 
function was unable to check revocation because the revocation server was 
offline.")

How can I solve this please? Some people seem to be suggesting to use the 
OpenSSL backend instead of schannel but is this really the only way to go? 
Isn't this possible with in-house Windows solutions?

I'm on curl 7.57.0, Windows 7, x64.

Thanks for ideas!

--
Best regards,
Andreas Falkenhahn mailto:andr...@falkenhahn.com


---
Unsubscribe: 
https://cool.haxx.se/list/listinfo/curl-library
Etiquette: 
https://curl.haxx.se/mail/etiquette.html
---
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Re: schannel: next InitializeSecurityContext failed: Unknown error (0x80092013) The revocation function was unable to check revocation because the revocation server was offline.

2016-03-23 Thread Ray Satiro via curl-library


On 3/23/2016 5:05 AM, Volker Schmid wrote:
We use libCurl version 7.43.0 with schannel support for TLS. Some 
customers using a proxy are getting the following issue:


[...]

2016-03-22 14:20:13-1943 [4736]: VERB: CURL: schannel: next 
InitializeSecurityContext failed: Unknown error (0x80092013) - Die 
Sperrfunktion konnte die Sperrung nicht �berpr�fen, da der Sperrserver 
offline war.

2016-03-22 14:20:13-1944 [4736]: VERB: CURL: Closing connection 0
2016-03-22 14:20:13-1944 [4736]: VERB: CURL: schannel: shutting down 
SSL/TLS connection with pls2.regify.com port 443
2016-03-22 14:20:13-1944 [4736]: VERB: CURL: schannel: clear security 
context handle
2016-03-22 14:20:13-1945 [4736]: VERB: CURL: schannel: clear 
credential handle
2016-03-22 14:20:13-1945 [4736]: VERB: CURL: NTLM-proxy picked AND 
auth done set, clear picked!


The translated error message is: The revocation function was unable to 
check revocation because the revocation server was offline.


Any idea what's going on here? We tried to check if the proxy is 
blocking the calls to CRL servers, but we can not see such.


When curl is built with the WinSSL (schannel) SSL backend certificate 
revocation checking is enabled by default and the checking is handled 
automatically by the Windows OS, not by libcurl. Whatever proxy settings 
you are using in libcurl will not be used to retrieve the revocation 
resource, instead the OS will use its settings. Assuming those settings 
are correct that error message usually means what it says, the 
revocation server is offline. However I did once see that message when 
there was no revocation resource in the CA certificate [1], but that's 
very unusual unless the SSL traffic is being intercepted.


If you are unable to find the cause and your circumstances allow you can 
disable revocation checking per session in curl w/ WinSSL by using 
option --ssl-no-revoke [1] in curl >= 7.44 or by passing flag 
CURLSSLOPT_NO_REVOKE to CURLOPT_SSL_OPTIONS [2] in libcurl >= 7.44.



[1]: https://github.com/curl/curl/issues/264
[2]: https://curl.haxx.se/docs/manpage.html#--ssl-no-revoke
[3]: https://curl.haxx.se/libcurl/c/CURLOPT_SSL_OPTIONS.html

---
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html

Re: schannel: next InitializeSecurityContext failed: Unknown error

Re: schannel: next InitializeSecurityContext failed: Unknown error

Re: schannel: next InitializeSecurityContext failed: Unknown error

Re: schannel: next InitializeSecurityContext failed: Unknown error

Re: schannel: next InitializeSecurityContext failed: Unknown error

RE: schannel: next InitializeSecurityContext failed: Unknown error

Re: schannel: next InitializeSecurityContext failed: Unknown error (0x80092013) The revocation function was unable to check revocation because the revocation server was offline.

7 matches

Site Navigation

Mail list logo

Footer information