Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

schannel: Add an option to disable auto default credentials #6672

Closed
wants to merge 2 commits into from
Closed

schannel: Add an option to disable auto default credentials #6672

wants to merge 2 commits into from

Conversation

jay
Copy link
Member

@jay jay commented Feb 27, 2021
edited

  • New libcurl ssl option value CURLSSLOPT_NO_DEFAULT_CREDS tells libcurl
    to not automatically locate and use a client certificate for
    authentication.

  • New curl tool options --ssl-no-default-creds
    and --proxy-ssl-no-default-creds map to CURLSSLOPT_NO_DEFAULT_CREDS.

This option is only supported for Schannel (the native Windows SSL
library). By default, Schannel will, with no notification to the client,
attempt to locate a client certificate and send it to the server (when
requested by the server). That could be considered a privacy violation
and unexpected.

Fixes #2262
Reported-by: Jeroen Ooms
Assisted-by: Wes Hinsley
Assisted-by: Rich FitzJohn

Ref: https://curl.se/mail/lib-2021-02/0066.html
Reported-by: Morten Minde Neergaard

Closes #xxxx

Please take discussion to #6673

@jay jay added TLS cmdline tool Windows Windows-specific labels Feb 27, 2021
@jay jay marked this pull request as draft February 27, 2021 00:07
@jay
schannel: Add an option to disable auto default credentials
deae590 
- New libcurl ssl option value CURLSSLOPT_NO_DEFAULT_CREDS tells libcurl
  to not automatically locate and use a client certificate for
  authentication.

- New curl tool options --ssl-no-default-creds
  and --proxy-ssl-no-default-creds map to CURLSSLOPT_NO_DEFAULT_CREDS.

This option is only supported for Schannel (the native Windows SSL
library). By default, Schannel will, with no notification to the client,
attempt to locate a client certificate and send it to the server (when
requested by the server). That could be considered a privacy violation
and unexpected.

Fixes curl#2262
Reported-by: Jeroen Ooms
Assisted-by: Wes Hinsley
Assisted-by: Rich FitzJohn

Ref: https://curl.se/mail/lib-2021-02/0066.html
Reported-by: Morten Minde Neergaard

Closes #xxxx
@jay jay force-pushed the schannel_option_no_default_creds branch from bdf6fba to deae590 Compare February 27, 2021 19:04
This was referenced Feb 27, 2021
Closed
Closed
@bagder bagder added the feature-window A merge of this requires an open feature window label Mar 11, 2021
@jay jay removed the feature-window A merge of this requires an open feature window label Apr 22, 2021
@jay
Copy link
Member Author

jay commented Apr 22, 2021

Closed in favor of #6673

@jay jay closed this Apr 22, 2021
@jay jay deleted the schannel_option_no_default_creds branch April 22, 2021 20:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
cmdline tool TLS Windows Windows-specific
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

WinSSL sends client certificate automatically
2 participants
@jay @bagder