I'm working with libcurl 7.55.1 under Windows, using Windows SSPI and
Schannel, not OpenSSL.

In lib\vtls\schannel.c, line 635, the error handling is:

      return sspi_status == SEC_E_UNTRUSTED_ROOT ?

CURLE_SSL_CACERT_BADFILE : CURLE_SSL_CONNECT_ERROR;

I think that CURLE_SSL_CACERT_BADFILE should be CURLE_SSL_CACERT instead,
since at this point there's no attempt to read a file set via the
CURLOPT_CAPATH option, and you get an error code that refers to the
certificate bundle when you haven't given Curl a certificate bundle. The
docs for CURLOPT_CAPATH say it doesn't work in Windows, and this code path
is (I think) Windows-specific, so I can't see how a certificate bundle would
ever be used in this scenario.

Because the real problem here is that the root is not trusted, the error
code of CURLE_SSL_CACERT seems to make more sense.

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-09-01