From a3e5a4371b43a68a19e6d73d050846c2f9a20859 Mon Sep 17 00:00:00 2001 From: Joel Depooter Date: Thu, 11 Jun 2015 15:52:25 -0400 Subject: schannel: Add support for optional client certificates Some servers will request a client certificate, but not require one. This change allows libcurl to connect to such servers when using schannel as its ssl/tls backend. When a server requests a client certificate, libcurl will now continue the handshake without one, rather than terminating the handshake. The server can then decide if that is acceptable or not. Prior to this change, libcurl would terminate the handshake, reporting a SEC_I_INCOMPLETE_CREDENTIALS error. --- lib/vtls/schannel.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c index b02e42ecc..543c20657 100644 --- a/lib/vtls/schannel.c +++ b/lib/vtls/schannel.c @@ -403,6 +403,17 @@ schannel_connect_step2(struct connectdata *conn, int sockindex) return CURLE_OK; } + /* If the server has requested a client certificate, attempt to continue + the handshake without one. This will allow connections to servers which + request a client certificate but do not require it. */ + if(sspi_status == SEC_I_INCOMPLETE_CREDENTIALS && + !(connssl->req_flags & ISC_REQ_USE_SUPPLIED_CREDS)) { + connssl->req_flags |= ISC_REQ_USE_SUPPLIED_CREDS; + connssl->connecting_state = ssl_connect_2_writing; + infof(data, "schannel: a client certificate has been requested\n"); + return CURLE_OK; + } + /* check if the handshake needs to be continued */ if(sspi_status == SEC_I_CONTINUE_NEEDED || sspi_status == SEC_E_OK) { for(i = 0; i < 3; i++) { -- cgit v1.2.3