Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Windows schannel client certificate path broken in first call to curl_easy_perform #3480

helgeklein opened this issue Jan 17, 2019 · 4 comments
TLS Windows Windows-specific


Copy link


We have used libcurl in our Windows application for HTTP REST APIs for a long time successfully. Now we are adding SSL client certificate authentication for a new REST API. While doing that, we encountered a bug where the certificate path set through CURLOPT_SSLCERT is corrupted in the first call to curl_easy_perform().


The issue is with the function get_cert_location() in the file schannel.c. The path passed in is a pointer to the original certificate path (data->set.ssl.cert). While the path string is processed, it is null-terminated at the last backslash by overwriting said backslash with \0. That effectively shortens the path by one component. The resulting shortened path is not valid any more.

Result: the first call succeeds, every subsequent call returns with CURLE_SSL_CERTPROBLEM from get_cert_location().

More information

  • Original (correct) path example: LocalMachine\MY\ac1a260ecfc022cd185a4c8551f0a63631123456
  • Example path after first call: LocalMachine\MY


To fix this, simply remove the following line:

schannel.c, get_cert_location(), line 395: *sep = 0;

The above line is responsible for shortening the path as described above.


To work around this issue, set CURLOPT_SSLCERT for every call to curl_easy_perform().

Expected behavior

It should only be necessary to set CURLOPT_SSLCERT once per curl handle.

curl/libcurl version

libcurl 7.63.0 on Windows 10 1803

@bagder bagder added TLS Windows Windows-specific labels Jan 17, 2019
Copy link

bagder commented Jan 17, 2019

Won't simply removing it cause any problems since that then leaves the cert_store_path including the thumbprint?

/cc @ArchangelSDY

Copy link

Yes, looks incorrect. cert_store_path should not include thumbprint. Better to do a copy here.

Copy link

bagder commented Jan 21, 2019

@helgeklein, can you verify that #3487 fixes the issue for you?

Copy link

@bagder I just did and it does fix the issue. Thanks for the great work and the super-quick fix!

bagder pushed a commit that referenced this issue Jan 21, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Apr 21, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
TLS Windows Windows-specific

Successfully merging a pull request may close this issue.

3 participants