http://bugs.winehq.org/show_bug.cgi?id=31159
--- Comment #8 from Juan Lang juan.lang@gmail.com 2012-07-09 22:20:54 CDT --- Hang on: it does work with native wininet? Please verify that for me.
Here's something that throws me: trace:wininet:create_netconn using SSL connection trace:crypt:CertOpenStore (#0002, 00000000, 00000000, 00002000, (nil)) trace:crypt:CRYPT_MemOpenStore (0, 00002000, (nil)) trace:crypt:CertCreateCertificateContext (00000001, 0x77012bb8, 1755) trace:crypt:CryptDecodeObjectEx (0x00000001, #0002, 0x77012bb8, 1755, 0x00008000, (nil), 0x187ecd34, 0x187ecd30) trace:crypt:CryptDecodeObjectEx returning 1 trace:crypt:CertAddCertificateContextToStore (0x6e505a28, 0x6e505b88, 00000004, 0x187ecdc8) trace:crypt:CertDuplicateCertificateContext (0x6e505b88) trace:crypt:CRYPT_MemAddCert (0x6e505a28, 0x6e505b88, (nil), 0x187ecdc8) trace:crypt:CertDuplicateCertificateContext (0x6e5019d8) trace:crypt:CertFreeCertificateContext (0x6e505b88) trace:crypt:CertFreeCertificateContext ((nil)) trace:crypt:CertAddCertificateContextToStore returning 1 trace:crypt:CertFreeCertificateContext (0x6e505b88) trace:wininet:netconn_verify_cert verifying L"store.eun1.lol.riotgames.com"
This shows that wininet creates a memory store, as expected, then adds a single certificate to it. From dlls/wininet/netconnection.c:
HCERTSTORE store = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, CERT_STORE_CREATE_NEW_FLAG, NULL); (snip)
struct stack_st *chain = (struct stack_st *)pX509_STORE_CTX_get_chain( ctx );
ret = TRUE; for (i = 0; ret && i < psk_num(chain); i++) { PCCERT_CONTEXT context;
cert = (X509 *)psk_value(chain, i); if ((context = X509_to_cert_context(cert))) { ret = CertAddCertificateContextToStore(store, context, CERT_STORE_ADD_ALWAYS, i ? NULL : &endCert); CertFreeCertificateContext(context); } }
That is, it should get every certificate OpenSSL sees, and add each to the memory store. Back to the log:
trace:chain:CRYPT_CheckSimpleChain checking chain with 1 elements for time (null)
Only a single certificate is found, and, looking at the log earlier, this makes sense: only a single certificate was added to the memory store.
This suggests that either the server is not including the intermediate certificates in the TLS handshake, or that OpenSSL is not reporting them.
I'm a little less sure where to go from here. Maybe a wireshark trace of the TLS handshake could tell us whether the server is indeed sending intermediate certificates.