curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Problems with schannel support for CURLOPT_CAINFO

From: Richard Alcock via curl-library <>
Date: Thu, 31 Oct 2019 11:11:31 +0000

I'm hitting what I think is two problems using CURLOPT_CAINFO with the
schannel backend.

The issues stem from making requests concurrently from multiple
threads specifing the same file in CURLOPT_CAINFO. If I run the code
below on multiple threads concurrently, some number of them fail, and
print out:

"ERROR: Problem with the SSL CA cert (path? access rights?) -
schannel: failed to open CA file '<path to PEM file>': Broken pipe"

CURL *curl = curl_easy_init();
char error[CURL_ERROR_SIZE];
curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, error);
curl_easy_setopt(curl, CURLOPT_FILE, nullptr);
curl_easy_setopt(curl, CURLOPT_URL, "");
curl_easy_setopt(curl, CURLOPT_CAINFO,"<path to PEM file>");
int res = curl_easy_perform(curl);
if (res != CURLE_OK) {
     std::cerr << "ERROR: " << curl_easy_strerror(res) << " - " <<
std::string(error) << "\n";

I believe this is because in schannel_verify.c the ca_file provided in
CURLOPT_CAINFO is opened (via CreateFile) with the (default) share
mode of 0. From MSDN this "Prevents other processes from opening a
file or device if they request delete, read, or write access." This is
fixed by passing FILE_SHARE_READ to the call to CreateFile. Any reason
why the "no sharing allowed" mode was chosen here instead?

The second issue is in how the Windows error is converted to a string.
I believe when CreateFile fails GetLastError is returning 32
(ERROR_SHARING_VIOLATION) but the string version is "Broken Pipe"
which suggests POSIX errno is being used rather than Windows errors.
This is Curl_strerror which is used widely, so not sure of
consequences of making a change there. Any thoughts?

Received on 2019-10-31