We have used libcurl in our Windows application for HTTP REST APIs for a long time successfully. Now we are adding SSL client certificate authentication for a new REST API. While doing that, we encountered a bug where the certificate path set through CURLOPT_SSLCERT is corrupted in the first call to curl_easy_perform().
The issue is with the function get_cert_location() in the file schannel.c. The path passed in is a pointer to the original certificate path (data->set.ssl.cert). While the path string is processed, it is null-terminated at the last backslash by overwriting said backslash with \0. That effectively shortens the path by one component. The resulting shortened path is not valid any more.
Result: the first call succeeds, every subsequent call returns with CURLE_SSL_CERTPROBLEM from get_cert_location().
Path format: STORE\PATH\THUMBPRINT
Original (correct) path example: LocalMachine\MY\ac1a260ecfc022cd185a4c8551f0a63631123456
Example path after first call: LocalMachine\MY
To fix this, simply remove the following line:
schannel.c, get_cert_location(), line 395: *sep = 0;
The above line is responsible for shortening the path as described above.
To work around this issue, set CURLOPT_SSLCERT for every call to curl_easy_perform().
It should only be necessary to set CURLOPT_SSLCERT once per curl handle.
libcurl 7.63.0 on Windows 10 1803
The text was updated successfully, but these errors were encountered: