fe9898d26e
The SChannel code uses the CertFindCertificateInStore function to retrieve the client certificate from a pkcs12 certificate store. However, when called with the CERT_FIND_ANY flag, this function does not provide any guarantees on the order in which certificates are retrieved. If a pkcs12 file contains an entire certificate chain instead of a single client certificate, the CertFindCertificateInStore function may return the CA or an intermediate certificate instead of the desired client certificate. Since there is no associated private key for such a certificate, the TLS handshake fails. With this change, we now pass the CERT_FIND_HAS_PRIVATE_KEY flag. This ensures that the CertFindCertificateInStore function will return a certificate which has a corresponding private key. This will stop the CA and intermediate certificates from being selected. I don't think there would be much use in a client certificate which has no associated private key, so this should ensure the client certificate is selected. I suppose it may be possible for a pkcs12 file to contain multiple certificates with private keys and the new behaviour may not guarantee which is selected. However, this is no worse that the previous behaviour in which any certificate may been selected. The CERT_FIND_HAS_PRIVATE_KEY is only available in Windows 8 / Server 2012 (aka Windows NT6.2). For older versions, we will fall back to using the CERT_FIND_ANY flag. Closes #16825 |
||
|---|---|---|
| .circleci | ||
| .github | ||
| CMake | ||
| docs | ||
| include | ||
| lib | ||
| LICENSES | ||
| m4 | ||
| packages | ||
| plan9 | ||
| projects | ||
| scripts | ||
| src | ||
| tests | ||
| winbuild | ||
| .dir-locals.el | ||
| .git-blame-ignore-revs | ||
| .gitattributes | ||
| .gitignore | ||
| .mailmap | ||
| acinclude.m4 | ||
| appveyor.sh | ||
| appveyor.yml | ||
| buildconf | ||
| CHANGES.md | ||
| CMakeLists.txt | ||
| configure.ac | ||
| COPYING | ||
| curl-config.in | ||
| Dockerfile | ||
| GIT-INFO.md | ||
| libcurl.pc.in | ||
| Makefile.am | ||
| README | ||
| README.md | ||
| RELEASE-NOTES | ||
| renovate.json | ||
| REUSE.toml | ||
| SECURITY.md | ||
curl is a command-line tool for transferring data specified with URL syntax. Learn how to use curl by reading the manpage or everything curl.
Find out how to install curl by reading the INSTALL document.
libcurl is the library curl is using to do its job. It is readily available to be used by your software. Read the libcurl manpage to learn how.
Open Source
curl is Open Source and is distributed under an MIT-like license.
Contact
Contact us on a suitable mailing list or use GitHub issues/ pull requests/ discussions.
All contributors to the project are listed in the THANKS document.
Commercial support
For commercial support, maybe private and dedicated help with your problems or applications using (lib)curl visit the support page.
Website
Visit the curl website for the latest news and downloads.
Source code
Download the latest source from the Git server:
git clone https://github.com/curl/curl.git
Security problems
Report suspected security problems via our HackerOne page and not in public.
Notice
curl contains pieces of source code that is Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan. This notice is included here to comply with the distribution terms.
Backers
Thank you to all our backers 🙏 Become a backer.
Sponsors
Support this project by becoming a sponsor.