[Bug 50721] IDA Pro 7.5: Lumina can't contact server, complains about Schannel security attributes

[WineHQ Bugzilla]

https://bugs.winehq.org/show_bug.cgi?id=50721

--- Comment #1 from Hans Leidekker <hans at meelstraat.net> ---
(In reply to Paulo Matias from comment #0)
> 2. ISC_REQ_MANUAL_CRED_VALIDATION: according to MSDN, this flag means "By
> default, Schannel validates the server certificate by calling the
> WinVerifyTrust function; however, if you have disabled this feature using
> the ISC_REQ_MANUAL_CRED_VALIDATION flag, you must validate the certificate
> provided by the server that is attempting to establish its identity."
> 
> However, Wine currently does not carry automatic server certificate
> validation at all. The OSX implementation always calls
> "SSLSetEnableCertVerify(s->context, FALSE)" to disable it explicitly. The
> GnuTLS implementation never calls "gnutls_session_set_verify_cert", which
> would be required to enable server certificate validation.

This is because we would need to use Win32 APIs to verify the certificate. That
way we have access to the right CA certificate store and apply the right
policy.

> Strictly speaking, the current implementation of Schannel in Wine is
> insecure, but fixing it would require more extensive changes to the code and
> could cause regression bugs with other applications. Thus, I argue it should
> be dealt with by another bug entry and fixed by another patch.
> 
> Therefore, the attached patch restricts itself to return
> ISC_RET_MANUAL_CRED_VALIDATION when ISC_REQ_MANUAL_CRED_VALIDATION is set,
> and to better document the current situation in the code.

That's fine. You may also want to add test case.

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.