schannel: fix revoke_best_effort reading wrong ssl config#21683
Closed
MegaManSec wants to merge 1 commit into
Closed
schannel: fix revoke_best_effort reading wrong ssl config#21683MegaManSec wants to merge 1 commit into
MegaManSec wants to merge 1 commit into
Conversation
Line 808 was reading from data->set.ssl.revoke_best_effort unconditionally, bypassing the context-aware ssl_config pointer already established at line 660 via Curl_ssl_cf_get_config(). Lines 752 and 792 in the same function already use ssl_config correctly; make 808 consistent.
jay
approved these changes
May 20, 2026
Member
|
Thanks |
outcast36
pushed a commit
to greearb/curl
that referenced
this pull request
Jun 3, 2026
- Fix revoke_best_effort reading wrong ssl config. Prior to this change the revoke_best_effort setting for the proxy was wrongly ignored in favor of the same setting for the destination host. In other words, CURLSSLOPT_REVOKE_BEST_EFFORT set via CURLOPT_PROXY_SSL_OPTIONS did not apply to the proxy and CURLSSLOPT_REVOKE_BEST_EFFORT set via CURLOPT_SSL_OPTIONS wrongly applied to the proxy. Closes curl#21683
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
schannel_verify.cline 808 readsdata->set.ssl.revoke_best_effortunconditionally, ignoring whether the connection being verified is an origin or proxy connection.ssl_configis already set at line 660 viaCurl_ssl_cf_get_config(), which returns&data->set.proxy_sslfor proxy cfilters and&data->set.sslfor origin cfilters. Lines 752 and 792 in the same function already usessl_configcorrectly; this makes line 808 consistent.The impact is policy bleed: when
CURLSSLOPT_REVOKE_BEST_EFFORTdiffers betweenCURLOPT_SSL_OPTIONSandCURLOPT_PROXY_SSL_OPTIONS, the wrong revocation policy is applied during proxy certificate verification.