[Bug 48495] New: XCP-ng Center v8.x (.NET 4.6 app) can't connect to server with self-signed certificate

WineHQ Bugzilla wine-bugs at winehq.org
Tue Jan 21 23:28:39 CST 2020 

https://bugs.winehq.org/show_bug.cgi?id=48495

            Bug ID: 48495
           Summary: XCP-ng Center v8.x (.NET 4.6 app) can't connect to
                    server with self-signed certificate
           Product: Wine
           Version: 4.21
          Hardware: x86
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: crypt32
          Assignee: wine-bugs at winehq.org
          Reporter: imirkin at alum.mit.edu
      Distribution: ---

Needless to say, this works fine on windows. The application requires the
"dotnet462" winetricks verb to start, and see #48492 for ways to get past the
splash screen. Installation msi available from
https://github.com/xcp-ng/xenadmin/releases/download/v8.0.1.26/XCP-ng-Center-8.0.1.26.msi
.

However once in the application, it can't actually connect.
WINEDEBUG=trace+crypt,trace+chain shows the following happening over and over
and over and over again:

0072:trace:crypt:CertVerifyCertificateChainPolicy (#0004, 0xbe571d0, 0xd7beb70,
0xd7beb30)
0072:trace:chain:dump_policy_para cbSize = 12
0072:trace:chain:dump_policy_para dwFlags = 00000010
0072:trace:chain:dump_policy_para pvExtraPolicyPara = 0xd7beb60
0072:trace:chain:dump_ssl_extra_chain_policy_para cbSize = 16
0072:trace:chain:dump_ssl_extra_chain_policy_para dwAuthType = 2
0072:trace:chain:dump_ssl_extra_chain_policy_para fdwChecks = 00000000
0072:trace:chain:dump_ssl_extra_chain_policy_para pwszServerName =
L"<redacted>"
0072:trace:crypt:CertVerifyCertificateChainPolicy returning 1 (800b0109)

800b0109 = CERT_E_UNTRUSTEDROOT

And indeed, it's a self-signed certificate, which isn't in the trusted list.

However note that policy_para.dwFlags = 0x10 ==
CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG . This is handled in
verify_base_policy. However verify_ssl_policy only checks for the bit in
extra_chain_policy_para.fdwChecks, which is empty here.

The (.NET) application does the following:

SslStream sslStream = new SslStream(stream, false,
  new RemoteCertificateValidationCallback(ValidateServerCertificate), null);

Where the ValidateServerCertificate function = "return true".

I suspect that the policy para's dwFlags should be respected by
verify_ssl_policy even if fdwFlags isn't set... but my familiarity with these
APIs extends to all of the past couple of hours ... an expert opinion would be
quite welcome.

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list