#146 Handle SEC_E_INCOMPLETE_CREDENTIALS errors when dealing with client certificates

[Anonymous]

If the server requests a client certificate and we have not supplied one in the tls_socket call, it will fail with the SEC_E_INCOMPLETE_CREDENTIALS error. As per http://microsoft.public.platformsdk.security.narkive.com/rfIzFsJ7/schannel-and-client-certificates, it should be handled as follows:

When the SEC_E_INCOMPLETE_CREDENTIALS error is returned from
InitializeSecurityContext, your client code can do one of two things.

1. It can find a client certificate, call AcquireCredentialsHandle to get a
   cred handle containing the certificate, and call InitializeSecurityContext
   again passing in the new cred handle. This will allow the handshake to be
   completed, with the client certificate chain being sent to the server.
2. It can skip finding a client certificate, and just call
   InitializeSecurityContext back, passing in the ISC_REQ_USE_SUPPLIED_CRED
   flag. This will tell schannel to send the client certificate associated with
   the passed in cred handle, regardless of whether the cred handle actually
   contains a client certificate or not. If the credential doesn't contain a
   client certificate, then the handshake is completed without sending it.

[Ashok P. Nadkarni]

The second option implemented in 4.3.6. The first is pending.