Support for disabling certificate revocation checks on schannel #6724
Comments
|
May this depend on the configured internet options of (Internet Explorer|Windows)? |
|
We've hit this too in a sense although the error is: unknown certificate lookup failure 16777280 (-1x16) I found out that http.schannelCheckRevoke in Git for Windows does NOT default to true. It defaults to "best-effort". This means that these error states are ignored: CERT_TRUST_REVOCATION_STATUS_UNKNOWN, CERT_TRUST_IS_OFFLINE_REVOCATION. So on Windows libgit2 should probably do the same. I'd probably split this into:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm on Windows (10.0.19045.3930, if it matters) and using libgit2sharp 0.29, which switched to libgit2 1.7.1. 1.7.0 introduced (optional, configurable?) schannel support, which I'm suspecting is causing my problem: attempting to clone fails with a "certificate revocation status could not be verified" error. I can reproduce this with command-line git (2.43.0) if I explicitly set the option
http.schannelCheckRevoketotrue, which then givesschannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.This is odd in itself, because according to the docs, this should be the default anyway. But sure enough, if I unset the option, or explicitly set it tofalse, command-line git as well as libgit2sharp 0.28 clone just fine.This can of course be worked around in various ways, including making revocation work (somehow) or overriding certificate checking with a callback and re-doing the verification myself with revocation checking turned off (clunky as that is), but I suspect that in order for this to work through configuration as it does now, libgit2 would need explicit support for the
http.schannelCheckRevokeoption and it currently doesn't have it, correct?Apologies for not supplying a full repro; this would require both setting up a failing revocation through schannel as well as conjuring up code for calling libgit2 directly. I think I'm at least correct in locating the issue in libgit2 rather than libgit2sharp.
The text was updated successfully, but these errors were encountered: