[Bug 48495] New: XCP-ng Center v8.x (.NET 4.6 app) can't connect to server with self-signed certificate
WineHQ Bugzilla
wine-bugs at winehq.org
Tue Jan 21 23:28:39 CST 2020
https://bugs.winehq.org/show_bug.cgi?id=48495
Bug ID: 48495
Summary: XCP-ng Center v8.x (.NET 4.6 app) can't connect to
server with self-signed certificate
Product: Wine
Version: 4.21
Hardware: x86
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: crypt32
Assignee: wine-bugs at winehq.org
Reporter: imirkin at alum.mit.edu
Distribution: ---
Needless to say, this works fine on windows. The application requires the
"dotnet462" winetricks verb to start, and see #48492 for ways to get past the
splash screen. Installation msi available from
https://github.com/xcp-ng/xenadmin/releases/download/v8.0.1.26/XCP-ng-Center-8.0.1.26.msi
.
However once in the application, it can't actually connect.
WINEDEBUG=trace+crypt,trace+chain shows the following happening over and over
and over and over again:
0072:trace:crypt:CertVerifyCertificateChainPolicy (#0004, 0xbe571d0, 0xd7beb70,
0xd7beb30)
0072:trace:chain:dump_policy_para cbSize = 12
0072:trace:chain:dump_policy_para dwFlags = 00000010
0072:trace:chain:dump_policy_para pvExtraPolicyPara = 0xd7beb60
0072:trace:chain:dump_ssl_extra_chain_policy_para cbSize = 16
0072:trace:chain:dump_ssl_extra_chain_policy_para dwAuthType = 2
0072:trace:chain:dump_ssl_extra_chain_policy_para fdwChecks = 00000000
0072:trace:chain:dump_ssl_extra_chain_policy_para pwszServerName =
L"<redacted>"
0072:trace:crypt:CertVerifyCertificateChainPolicy returning 1 (800b0109)
800b0109 = CERT_E_UNTRUSTEDROOT
And indeed, it's a self-signed certificate, which isn't in the trusted list.
However note that policy_para.dwFlags = 0x10 ==
CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG . This is handled in
verify_base_policy. However verify_ssl_policy only checks for the bit in
extra_chain_policy_para.fdwChecks, which is empty here.
The (.NET) application does the following:
SslStream sslStream = new SslStream(stream, false,
new RemoteCertificateValidationCallback(ValidateServerCertificate), null);
Where the ValidateServerCertificate function = "return true".
I suspect that the policy para's dwFlags should be respected by
verify_ssl_policy even if fdwFlags isn't set... but my familiarity with these
APIs extends to all of the past couple of hours ... an expert opinion would be
quite welcome.
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list