generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

schannel: Add support for optional client certificates

Browse Source 
Some servers will request a client certificate, but not require one.
This change allows libcurl to connect to such servers when using
schannel as its ssl/tls backend. When a server requests a client
certificate, libcurl will now continue the handshake without one,
rather than terminating the handshake. The server can then decide
if that is acceptable or not. Prior to this change, libcurl would
terminate the handshake, reporting a SEC_I_INCOMPLETE_CREDENTIALS
error.
This commit is contained in:
Joel Depooter 2015-06-11 15:52:25 -04:00 committed by Jay Satiro
parent 4a7feea31a
commit a3e5a4371b
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
lib/vtls/schannel.c
View File

@ -403,6 +403,17 @@ schannel_connect_step2(struct connectdata *conn, int sockindex)
return CURLE_OK;
}
/* If the server has requested a client certificate, attempt to continue
the handshake without one. This will allow connections to servers which
request a client certificate but do not require it. */
if(sspi_status == SEC_I_INCOMPLETE_CREDENTIALS &&
!(connssl->req_flags & ISC_REQ_USE_SUPPLIED_CREDS)) {
connssl->req_flags |= ISC_REQ_USE_SUPPLIED_CREDS;
connssl->connecting_state = ssl_connect_2_writing;
infof(data, "schannel: a client certificate has been requested\n");
return CURLE_OK;
}
/* check if the handshake needs to be continued */
if(sspi_status == SEC_I_CONTINUE_NEEDED || sspi_status == SEC_E_OK) {
for(i = 0; i < 3; i++) {