| commit | ce3d69ec11b0aacff085d0ce20e8ed84406743da | |
| author | Michael Stahl <michael.stahl@allotropia.de> | |
| Fri, 12 Aug 2022 14:43:12 +0000 (12 16:43 +0200) | ||
| committer | Michael Stahl <michael.stahl@allotropia.de> | |
| Fri, 2 Jun 2023 10:22:22 +0000 (2 12:22 +0200) | ||
| tree | 03a69f5394695bede0c0573192eacf75e423df9d | treesnapshot (tar.gz zip) |
| parent | e12ebcfabec18430e2fd931842a7c0a689820bd0 | commitdiff |
tdf#149921 ucb: webdav-curl: WNT: certificate revocation check
- don't require it to be successful.
Trying to connect to a server with self-signed CA results in:
warn:ucb.ucp.webdav.curl:6796:6568:ucb/source/ucp/webdav-curl/CurlSession.cxx:946:
curl_easy_perform failed: (35) schannel: next InitializeSecurityContext failed:
Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
Apparently schannel wants to check by default (called with
SCH_CRED_REVOCATION_CHECK_CHAIN) that all the certificates aren't
revoked, but the self-signed CA doesn't specify how to check.
Set it to only check revocation when the way to do so actually works,
via CURLSSLOPT_REVOKE_BEST_EFFORT, which sets these flags:
SCH_CRED_IGNORE_NO_REVOCATION_CHECK | SCH_CRED_IGNORE_REVOCATION_OFFLINE | SCH_CRED_REVOCATION_CHECK_CHAIN
Change-Id: I6d77ca23fe2012d8a5d65000b14775070b5c9a0f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/138204
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit f6a0ca0e92e41ad8fea71acdacdc7ec5e775dc59)
- don't require it to be successful.
Trying to connect to a server with self-signed CA results in:
warn:ucb.ucp.webdav.curl:6796:6568:ucb/source/ucp/webdav-curl/CurlSession.cxx:946:
curl_easy_perform failed: (35) schannel: next InitializeSecurityContext failed:
Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
Apparently schannel wants to check by default (called with
SCH_CRED_REVOCATION_CHECK_CHAIN) that all the certificates aren't
revoked, but the self-signed CA doesn't specify how to check.
Set it to only check revocation when the way to do so actually works,
via CURLSSLOPT_REVOKE_BEST_EFFORT, which sets these flags:
SCH_CRED_IGNORE_NO_REVOCATION_CHECK | SCH_CRED_IGNORE_REVOCATION_OFFLINE | SCH_CRED_REVOCATION_CHECK_CHAIN
Change-Id: I6d77ca23fe2012d8a5d65000b14775070b5c9a0f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/138204
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit f6a0ca0e92e41ad8fea71acdacdc7ec5e775dc59)
| ucb/source/ucp/webdav-curl/CurlSession.cxx | diffblobblamehistory |