schannel: add client certificate authentication #2376
Conversation
ArchangelSDY
force-pushed
the
schannel-client-cert
branch
from
91830e6
to
91cc524
Compare
|
Thanks @ArchangelSDY. Please run checksrc on the code and adjust the code style nits it finds. You can see them here. |
ArchangelSDY
force-pushed
the
schannel-client-cert
branch
from
91cc524
to
d5365a4
Compare
User can now specify a client certificate in system certificates store explicitly using expression like `--cert "CurrentUser\MY\<thumbprint>"`.
ArchangelSDY
force-pushed
the
schannel-client-cert
branch
from
d5365a4
to
83a47f4
Compare
|
@bagder All code style issues should be addressed. |
|
Thanks! |
|
I think we will need to explain this better in the documentation. It could use a separate section explaining the system stores. It seems that CURLOPT_SSLCERT for WinSSL will be supported in some limited way for client certificates but not by filename or nickname, only thumbprint, is that correct? Is there any reason we couldn't check names as well? |
|
Yes, only thumbprint is supported. There are a lot of ways to find a certificate but looks like Windows do not a have a concept like nickname or certificate name, so thumbprint seems to be the only way to locate a certificate from system store uniquely. Loading certificate from a local pfx file can be supported. But usually a local file can be imported into system store while the opposite may not always be possible due to some secure policies. So I think it's not that useful. I can submit another patch to improve the documentation. |
That would be great, thanks. |
|
Some CI builds are failing because CryptStringToBinary doesn't have flag CRYPT_STRING_HEXRAW in <=XP. Can you use a different flag that is compatible with xp |
|
OK, I'll try to find an alternative. |
|
Any news? I propose we revert this commit until we have a fix. One of the build failures: https://curlbuild.uxnr.de/builders/curl_winssl_cross_x64/builds/9672/steps/compile/logs/stdio |
- Use CRYPT_STRING_HEX instead of CRYPT_STRING_HEXRAW since XP doesn't support the latter. Ref: #2376 (comment) Closes #2504
|
Fix was proposed in #2504 but I held it as a blocker due to roffit bug, which in hindsight I shouldn't have done. Fixed now, will investigate roffit bug separately. |
|
There are however still build failures in Marc's builds even with that fixup: https://curlbuild.uxnr.de/builders/curl_winssl_mingw_x86/builds/4212/steps/compile/logs/stdio |
|
Looks like MinGW lacks some essential APIs. I will work on a fix to disable this feature in that condition. |
|
Thanks. I am testing various MinGW versions on purpose, since distributions and msys2 as well as older mingw-get installers ship different versions. |
|
Original MinGW targets Windows 2000 by default. Maybe these definitions are only available in XP+? MSDN says so, but they also regularly delete mentions of old Windows versions. |
|
Yes. According to this doc the minimum supported version is XP. I'm not sure if this feature will actually work on Windows 2000. |
|
Sent another PR #2522 to disable this feature in MinGW. |
|
Thanks, I answered in #2522. BTW-- I am working on a Dockerized environment for all my builders, to provide CI for pull-requests as well. |
User can now specify a client certificate in system certificates store explicitly using expression like
--cert "CurrentUser\MY\<thumbprint>".