From 70bb0db76720c152f6a55bbe12cf162b55cb105b Mon Sep 17 00:00:00 2001
From: Jay Satiro <raysatiro@yahoo.com>
Date: Fri, 10 Apr 2026 14:02:55 -0400
Subject: [PATCH] schannel: increase renegotiation timeout to 60 seconds

Prior to this change the timeout was 7 seconds but that is too short for
enhanced-security users that have to fill out an interactive prompt on
Schannel renegotiation (PIN, smart card, etc).

Reported-by: Tim Omta

Fixes https://github.com/curl/curl/issues/21270
Closes https://github.com/curl/curl/pull/21291
---
 lib/vtls/schannel.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
index a2b76da982..7bfbbcf04c 100644
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@@ -1757,7 +1757,13 @@ enum schannel_renegotiate_caller_t {
   SCH_RENEG_CALLER_IS_SEND
 };
 
-#define MAX_RENEG_BLOCK_TIME (7 * 1000) /* 7 seconds in milliseconds */
+/* The maximum time we allow for Schannel renegotiation which may in some
+   rare cases block either due to libcurl (waiting on the socket) or Windows
+   (waiting on an interactive security prompt). Note Schannel "renegotiation"
+   is not necessarily literal TLS renegotiation, but means DecryptMessage
+   returned SEC_I_RENEGOTIATE which means at least the security context needs
+   to be re-established. */
+#define MAX_RENEG_BLOCK_TIME (60 * 1000) /* 60 seconds in milliseconds */
 
 /* This function renegotiates the connection due to a server request received
    by schannel_recv. This function returns CURLE_AGAIN if the renegotiation is