schannel: Add an option to disable auto default credentials #6672
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New libcurl ssl option value CURLSSLOPT_NO_DEFAULT_CREDS tells libcurl
to not automatically locate and use a client certificate for
authentication.
New curl tool options --ssl-no-default-creds
and --proxy-ssl-no-default-creds map to CURLSSLOPT_NO_DEFAULT_CREDS.
This option is only supported for Schannel (the native Windows SSL
library). By default, Schannel will, with no notification to the client,
attempt to locate a client certificate and send it to the server (when
requested by the server). That could be considered a privacy violation
and unexpected.
Fixes #2262
Reported-by: Jeroen Ooms
Assisted-by: Wes Hinsley
Assisted-by: Rich FitzJohn
Ref: https://curl.se/mail/lib-2021-02/0066.html
Reported-by: Morten Minde Neergaard
Closes #xxxx
Please take discussion to #6673