https://bugs.winehq.org/show_bug.cgi?id=48495 Bug ID: 48495 Summary: XCP-ng Center v8.x (.NET 4.6 app) can't connect to server with self-signed certificate Product: Wine Version: 4.21 Hardware: x86 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: crypt32 Assignee: wine-bugs(a)winehq.org Reporter: imirkin(a)alum.mit.edu Distribution: --- Needless to say, this works fine on windows. The application requires the "dotnet462" winetricks verb to start, and see #48492 for ways to get past the splash screen. Installation msi available from https://github.com/xcp-ng/xenadmin/releases/download/v8.0.1.26/XCP-ng-Center... . However once in the application, it can't actually connect. WINEDEBUG=trace+crypt,trace+chain shows the following happening over and over and over and over again: 0072:trace:crypt:CertVerifyCertificateChainPolicy (#0004, 0xbe571d0, 0xd7beb70, 0xd7beb30) 0072:trace:chain:dump_policy_para cbSize = 12 0072:trace:chain:dump_policy_para dwFlags = 00000010 0072:trace:chain:dump_policy_para pvExtraPolicyPara = 0xd7beb60 0072:trace:chain:dump_ssl_extra_chain_policy_para cbSize = 16 0072:trace:chain:dump_ssl_extra_chain_policy_para dwAuthType = 2 0072:trace:chain:dump_ssl_extra_chain_policy_para fdwChecks = 00000000 0072:trace:chain:dump_ssl_extra_chain_policy_para pwszServerName = L"<redacted>" 0072:trace:crypt:CertVerifyCertificateChainPolicy returning 1 (800b0109) 800b0109 = CERT_E_UNTRUSTEDROOT And indeed, it's a self-signed certificate, which isn't in the trusted list. However note that policy_para.dwFlags = 0x10 == CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG . This is handled in verify_base_policy. However verify_ssl_policy only checks for the bit in extra_chain_policy_para.fdwChecks, which is empty here. The (.NET) application does the following: SslStream sslStream = new SslStream(stream, false, new RemoteCertificateValidationCallback(ValidateServerCertificate), null); Where the ValidateServerCertificate function = "return true". I suspect that the policy para's dwFlags should be respected by verify_ssl_policy even if fdwFlags isn't set... but my familiarity with these APIs extends to all of the past couple of hours ... an expert opinion would be quite welcome. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.