https://bugs.winehq.org/show_bug.cgi?id=47234
--- Comment #11 from Dmitry Timoshkov dmitry@baikal.ru --- (In reply to Alex Dubov from comment #8)
On the other hand:
- The certs are provided by the default Fedora install and exhibit no
issues when operated upon with Openssl and other TLS utils on Fedora.
- 004b:fixme:bcrypt:BCryptOpenAlgorithmProvider algorithm
L"\377f\9eec\d340\4879\1a44\ad71\0dc0\aca8\4b4f\c055\19df\8cba\d67c\e6b2\03b0 \6212\2dc5\e797\46d4\f60e\c322\68b2\3b93\475e\4db3\d630\592d\8d33\caf6\3f30\2 210\5ee6"
This is simply not right - an algorithm name must be an ascii string (Openssl confirms) but instead BCryptOpenAlgorithmProvider is being fed a rubbish byte string (in all of the broken cert cases, which are more than the 3 I've provided).
To this end, I will attach another cert here (the one I care much more about) with a more extensive trace.
Something is wrong with your Wine build. I've downloaded ca-bundle provided by Fedora 30 ca-certificates-2018.2.26-3.fc30.noarch.rpm: $> sha1sum ca-certificates-2018.2.26-3.fc30.noarch.rpm e59f5725b3ca1b008a1641ef1ccecd4cac53c836 ca-certificates-2018.2.26-3.fc30.noarch.rpm and extracted ca-bundle.trust.p11-kit from it: $ sha1sum ca-bundle.trust.p11-kit c68ae92fff329a21be3ffcee64de7800ce75f601 ca-bundle.trust.p11-kit
Then I patched Wine source to use this file as a known location for CA root certificates, generated the log, and checked Amazon Root CA 4 certificate in the log: it gets loaded and its signature is verified just fine. I don't see in the log strange looking BCryptOpenAlgorithmProvider() call, instead I see a perfectly valid BCryptOpenAlgorithmProvider("ECDSA_P384",...).
Did you build Wine from source or using some pre-built binary package?