cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: schannel: next InitializeSecurityContext failed: Unknown error (0x80092013) The revocation function was unable to check revocation because the revocation server was offline.

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Wed, 23 Mar 2016 12:45:53 -0400

On 3/23/2016 5:05 AM, Volker Schmid wrote:
> We use libCurl version 7.43.0 with schannel support for TLS. Some
> customers using a proxy are getting the following issue:

[...]

> 2016-03-22 14:20:13-1943 [4736]: VERB: CURL: schannel: next
> InitializeSecurityContext failed: Unknown error (0x80092013) - Die
> Sperrfunktion konnte die Sperrung nicht �berpr�fen, da der Sperrserver
> offline war.
> 2016-03-22 14:20:13-1944 [4736]: VERB: CURL: Closing connection 0
> 2016-03-22 14:20:13-1944 [4736]: VERB: CURL: schannel: shutting down
> SSL/TLS connection with pls2.regify.com port 443
> 2016-03-22 14:20:13-1944 [4736]: VERB: CURL: schannel: clear security
> context handle
> 2016-03-22 14:20:13-1945 [4736]: VERB: CURL: schannel: clear
> credential handle
> 2016-03-22 14:20:13-1945 [4736]: VERB: CURL: NTLM-proxy picked AND
> auth done set, clear picked!
>
> The translated error message is: The revocation function was unable to
> check revocation because the revocation server was offline.
>
> Any idea what's going on here? We tried to check if the proxy is
> blocking the calls to CRL servers, but we can not see such.

When curl is built with the WinSSL (schannel) SSL backend certificate
revocation checking is enabled by default and the checking is handled
automatically by the Windows OS, not by libcurl. Whatever proxy settings
you are using in libcurl will not be used to retrieve the revocation
resource, instead the OS will use its settings. Assuming those settings
are correct that error message usually means what it says, the
revocation server is offline. However I did once see that message when
there was no revocation resource in the CA certificate [1], but that's
very unusual unless the SSL traffic is being intercepted.

If you are unable to find the cause and your circumstances allow you can
disable revocation checking per session in curl w/ WinSSL by using
option --ssl-no-revoke [1] in curl >= 7.44 or by passing flag
CURLSSLOPT_NO_REVOKE to CURLOPT_SSL_OPTIONS [2] in libcurl >= 7.44.

[1]: https://github.com/curl/curl/issues/264
[2]: https://curl.haxx.se/docs/manpage.html#--ssl-no-revoke
[3]: https://curl.haxx.se/libcurl/c/CURLOPT_SSL_OPTIONS.html

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-03-23

This message: [ Message body ]
Next message: Steve Holme: "RE: Option to specify Kerberos credential-cache when used via GSSAPI"
Previous message: Kamil Dudka: "Re: Howto use libcurl with libnss and PKCS11 Interface to a Security Module?"
In reply to: Volker Schmid: "schannel: next InitializeSecurityContext failed: Unknown error (0x80092013) The revocation function was unable to check revocation because the revocation server was offline."

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]