[Bug 48495] New: XCP-ng Center v8.x (.NET 4.6 app) can't connect to server with self-signed certificate

22 Jan 2020


      https://bugs.winehq.org/show_bug.cgi?id=48495
Bug ID: 48495
           Summary: XCP-ng Center v8.x (.NET 4.6 app) can't connect to
                    server with self-signed certificate
           Product: Wine
           Version: 4.21
          Hardware: x86
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: crypt32
          Assignee: wine-bugs@winehq.org
          Reporter: imirkin@alum.mit.edu
      Distribution: ---
Needless to say, this works fine on windows. The application requires the
"dotnet462" winetricks verb to start, and see #48492 for ways to get past the
splash screen. Installation msi available from
https://github.com/xcp-ng/xenadmin/releases/download/v8.0.1.26/XCP-ng-Center...
.
However once in the application, it can't actually connect.
WINEDEBUG=trace+crypt,trace+chain shows the following happening over and over
and over and over again:
0072:trace:crypt:CertVerifyCertificateChainPolicy (#0004, 0xbe571d0, 0xd7beb70,
0xd7beb30)
0072:trace:chain:dump_policy_para cbSize = 12
0072:trace:chain:dump_policy_para dwFlags = 00000010
0072:trace:chain:dump_policy_para pvExtraPolicyPara = 0xd7beb60
0072:trace:chain:dump_ssl_extra_chain_policy_para cbSize = 16
0072:trace:chain:dump_ssl_extra_chain_policy_para dwAuthType = 2
0072:trace:chain:dump_ssl_extra_chain_policy_para fdwChecks = 00000000
0072:trace:chain:dump_ssl_extra_chain_policy_para pwszServerName =
L"<redacted>"
0072:trace:crypt:CertVerifyCertificateChainPolicy returning 1 (800b0109)
800b0109 = CERT_E_UNTRUSTEDROOT
And indeed, it's a self-signed certificate, which isn't in the trusted list.
However note that policy_para.dwFlags = 0x10 ==
CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG . This is handled in
verify_base_policy. However verify_ssl_policy only checks for the bit in
extra_chain_policy_para.fdwChecks, which is empty here.
The (.NET) application does the following:
SslStream sslStream = new SslStream(stream, false,
  new RemoteCertificateValidationCallback(ValidateServerCertificate), null);
Where the ValidateServerCertificate function = "return true".
I suspect that the policy para's dwFlags should be respected by
verify_ssl_policy even if fdwFlags isn't set... but my familiarity with these
APIs extends to all of the past couple of hours ... an expert opinion would be
quite welcome.
-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

[Bug 48495] New: XCP-ng Center v8.x (.NET 4.6 app) can't connect to server with self-signed certificate