Windows schannel client certificate path broken in first call to curl_easy_perform

[helgeklein]

Intro

We have used libcurl in our Windows application for HTTP REST APIs for a long time successfully. Now we are adding SSL client certificate authentication for a new REST API. While doing that, we encountered a bug where the certificate path set through CURLOPT_SSLCERT is corrupted in the first call to curl_easy_perform().

Details

The issue is with the function get_cert_location() in the file schannel.c. The path passed in is a pointer to the original certificate path (data->set.ssl.cert). While the path string is processed, it is null-terminated at the last backslash by overwriting said backslash with \0. That effectively shortens the path by one component. The resulting shortened path is not valid any more.

Result: the first call succeeds, every subsequent call returns with CURLE_SSL_CERTPROBLEM from get_cert_location().

More information

• Path format: STORE\PATH\THUMBPRINT
• Original (correct) path example: LocalMachine\MY\ac1a260ecfc022cd185a4c8551f0a63631123456
• Example path after first call: LocalMachine\MY

Fix

To fix this, simply remove the following line:

schannel.c, get_cert_location(), line 395: *sep = 0;

The above line is responsible for shortening the path as described above.

Workaround

To work around this issue, set CURLOPT_SSLCERT for every call to curl_easy_perform().

Expected behavior

It should only be necessary to set CURLOPT_SSLCERT once per curl handle.

curl/libcurl version

libcurl 7.63.0 on Windows 10 1803

[bagder]

Won't simply removing it cause any problems since that then leaves the cert_store_path including the thumbprint?

/cc @ArchangelSDY

[ArchangelSDY]

Yes, looks incorrect. cert_store_path should not include thumbprint. Better to do a copy here.

[bagder]

@helgeklein, can you verify that #3487 fixes the issue for you?

[helgeklein]

@bagder I just did and it does fix the issue. Thanks for the great work and the super-quick fix!