curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: schannel: next InitializeSecurityContext failed: Unknown error

From: Andreas Falkenhahn via curl-library <curl-library_at_cool.haxx.se>
Date: Fri, 4 Jan 2019 18:32:18 +0100

Sure, but I somehow refuse to believe that it should really be impossible to connect to a simple https:// site with Schannel on Windows 7. I mean, this is basic functionality, this just *has to* work...

On 04.01.2019 at 18:26 Salisbury, Mark wrote:

>
>
>
> I’m running Windows 10. There’s got to be some differences
> (appears to be improvements in this case) in Schannel from Windows 7 to Windows 10.
>
>
>
> -Mark
>
>
>
>
>
> From: Andreas Falkenhahn <andreas_at_falkenhahn.com>
> Sent: Friday, January 4, 2019 10:14 AM
> To: Salisbury, Mark <mark.salisbury_at_hp.com>
> Cc: libcurl development <curl-library_at_cool.haxx.se>
> Subject: Re: schannel: next InitializeSecurityContext failed: Unknown error
>
>
>
> Unfortunately, the problem persists here. In the meantime I've made
> some further tests and I've found out that the problem happens only
> on my Windows 7 machine. On my Windows 10 machine both sites work
> just fine, like on your system. But on my Windows 7 machine the
> *.de site works, but the *.com site doesn't. This is really
> confusing me, especially because the CRL distribution point for both
> sites is the same. I haven't got the slightest idea how to fix this :-/
>
> On 04.01.2019 at 18:04 Salisbury, Mark wrote:
>

>> This error message is actually pretty helpful:

>> Trying https://www.hollywood-mal.de/ OK!
>> Trying https://www.hollywood-mal.com/ FAIL: 35 schannel: next
>> InitializeSecurityContext failed: Unknown error (0x80092013) - Die
>> Sperrfunktion konnte die Sperrung nicht überprüfen, da der
>> Sperrserver offline war. (NB: In English the error is probably
>> "schannel: next InitializeSecurityContext failed: Unknown error
>> (0x80092013) - The revocation function was unable to check
>> revocation because the revocation server was offline.")

>> I checked the CRL distribution point for both sites (you can see
>> this info in the details of the site’s certificate), it’s the same:

>> [1]CRL Distribution Point

>> Distribution Point Name:

>> Full Name:

>> URL=http://crl.starfieldtech.com/sfig2s1-103.crl

>> I copied your code, compiled it, and tested it:

>> C:\Users\MASALI1\source\repos\Debug>curl-test.exe

>> Trying https://www.hollywood-mal.de/ OK!

>> Trying https://www.hollywood-mal.com/ OK!

>> So it looks like it was a temporary problem. Is the problem continuing for you?

>> Thanks,
>> Mark

>> Here are a couple pages to help understand certificate revocation checks:

>> https://blogs.msdn.microsoft.com/ieinternals/2011/04/07/understanding-certificate-revocation-checks/

>> https://www.digicert.com/util/utility-test-ocsp-and-crl-access-from-a-server.htm

>> From: curl-library <curl-library-bounces_at_cool.haxx.se> On Behalf Of
>> Andreas Falkenhahn via curl-library
>> Sent: Friday, January 4, 2019 5:31 AM
>> To: curl-library_at_cool.haxx.se
>> Cc: Andreas Falkenhahn <andreas_at_falkenhahn.com>
>> Subject: schannel: next InitializeSecurityContext failed: Unknown error

>> I know people have had problems with this before and I did my
>> googling about it, but I don't really understand how to solve this
>> problem because in my case it's particularly weird. Consider this little snippet:

>> static void tryconnect(const char *address)
>> {
>> CURL *curl = curl_easy_init();
>> CURLcode res;
>> char buf[CURL_ERROR_SIZE];

>> curl_easy_setopt(curl, CURLOPT_URL, address);
>> curl_easy_setopt(curl, CURLOPT_CONNECT_ONLY, 1);
>> curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, buf);

>> printf("Trying %s ", address);
>> if(!(res = curl_easy_perform(curl))) {
>> printf("OK!\n");
>> } else {
>> printf("FAIL: %d %s\n", res, buf);
>> }

>> curl_easy_cleanup(curl);
>> }

>> int main(int argc, char *argv[])
>> {
>> curl_global_init(CURL_GLOBAL_DEFAULT);
>> tryconnect("https://www.hollywood-mal.de/"); --> works!
>> tryconnect("https://www.hollywood-mal.com/"); --> fails with schannel error
>> curl_global_cleanup();
>> return 0;
>> }

>> Why on earth does https://www.hollywood-mal.de/ work fine and
>> https://www.hollywood-mal.com/ doesn't work at all? I'm the owner of
>> both domains and they are hosted by the very same company with the
>> very same settings, yet one works, and the other one doesn't. Of
>> course, in a browser both work fine, but with curl only the *.de one works, the *.com one fails.

>> This is the output:

>> Trying https://www.hollywood-mal.de/ OK!
>> Trying https://www.hollywood-mal.com/ FAIL: 35 schannel: next
>> InitializeSecurityContext failed: Unknown error (0x80092013) - Die
>> Sperrfunktion konnte die Sperrung nicht überprüfen, da der
>> Sperrserver offline war. (NB: In English the error is probably
>> "schannel: next InitializeSecurityContext failed: Unknown error
>> (0x80092013) - The revocation function was unable to check
>> revocation because the revocation server was offline.")

>> How can I solve this please? Some people seem to be suggesting to
>> use the OpenSSL backend instead of schannel but is this really the
>> only way to go? Isn't this possible with in-house Windows solutions?

>> I'm on curl 7.57.0, Windows 7, x64.

>> Thanks for ideas!

>> --
>> Best regards,
>> Andreas Falkenhahn mailto:andreas_at_falkenhahn.com

>> -------------------------------------------------------------------
>> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
>> Etiquette: https://curl.haxx.se/mail/etiquette.html

>
>
> --
> Best regards,
> Andreas Falkenhahn mailto:andreas_at_falkenhahn.com
>

-- 
Best regards,
 Andreas Falkenhahn                            mailto:andreas_at_falkenhahn.com
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2019-01-04