curl is at curl.se / Bugs / #1187 winsspi ssl engine was unable connect through ssl

curl is at curl.haxx.se

#1187 winsspi ssl engine was unable connect through ssl

Status: closed-fixed

Owner: Daniel Stenberg

Labels: ssl winsspi windows (2)

Priority: 5

Updated: 2014-08-16

Created: 2013-02-04

Creator: Andrew Kurushin

Private: No

winsspi ssl engine was unable connect through ssl with curl build with winsspi(no openssl):
[-----]
curl --verbose -k https://XX.XX.XX.XX

About to connect() to test port 443 (#0)
Trying XX.XX.XX.XX...
connected
Connected to XX.XX.XX.XX (XX.XX.XX.XX) port 443 (#0)
schannel: SSL/TLS connection with XX.XX.XX.XX port 443 (step 1/3)
schannel: disable server certificate revocation checks
schannel: verifyhost setting prevents Schannel from comparing the supplied target name with the subject names in server certificates. Also disables SNI.
schannel: sending initial handshake data: sending 119 bytes...
schannel: sent initial handshake data: sent 119 bytes
schannel: SSL/TLS connection with XX.XX.XX.XX port 443 (step 2/3)
schannel: encrypted data buffer: offset 3326 length 4096
schannel: sending next handshake data: sending 326 bytes...
schannel: SSL/TLS connection with XX.XX.XX.XX port 443 (step 2/3)
schannel: encrypted data buffer: offset 59 length 4096
schannel: SSL/TLS handshake complete
schannel: SSL/TLS connection with XX.XX.XX.XX port 443 (step 3/3)
schannel: failed to setup extended errors
Closing connection #0
schannel: shutting down SSL/TLS connection with XX.XX.XX.XX port 443
curl: (35) schannel: failed to setup extended errors
[-----]
this error occured only on some specific machine: win7 without sp1
maybe it's related to http://support.microsoft.com/kb/975858

i have made following changes:
[-----]
Index: lib/curl_schannel.c
===================================================================
--- lib/curl_schannel.c (revision)
+++ lib/curl_schannel.c (working copy)
@@ -219,7 +219,7 @@

/ setup request flags /
connssl->req_flags = ISC_REQ_SEQUENCE_DETECT | ISC_REQ_REPLAY_DETECT |

ISC_REQ_CONFIDENTIALITY | ISC_REQ_EXTENDED_ERROR |
ISC_REQ_CONFIDENTIALITY | // ISC_REQ_EXTENDED_ERROR |
ISC_REQ_ALLOCATE_MEMORY | ISC_REQ_STREAM;

/ allocate memory for the security context handle /
@@ -503,8 +503,10 @@
failf(data, "schannel: failed to setup replay detection");
if(!(connssl->ret_flags & ISC_RET_CONFIDENTIALITY))
failf(data, "schannel: failed to setup confidentiality");
+/
if(!(connssl->ret_flags & ISC_RET_EXTENDED_ERROR))
failf(data, "schannel: failed to setup extended errors");
+/
if(!(connssl->ret_flags & ISC_RET_ALLOCATED_MEMORY))
failf(data, "schannel: failed to setup memory allocation");
if(!(connssl->ret_flags & ISC_RET_STREAM))
[-----]

and the problem has gone. i don't now if CURL really need specify ISC_REQ_EXTENDED_ERROR cause it's not related to client side;

Discussion

Daniel Stenberg - 2013-02-05

status: open --> closed-fixed

assigned_to: Daniel Stenberg

milestone: -->
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Daniel Stenberg - 2013-02-05

Thanks, this is now fixed in git!

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

winsspi ssl engine was unable connect through ssl

curl is at curl.haxx.se

Searches

Help

#1187 winsspi ssl engine was unable connect through ssl

Discussion