https://bugs.winehq.org/show_bug.cgi?id=50721
--- Comment #1 from Hans Leidekker hans@meelstraat.net --- (In reply to Paulo Matias from comment #0)
- ISC_REQ_MANUAL_CRED_VALIDATION: according to MSDN, this flag means "By
default, Schannel validates the server certificate by calling the WinVerifyTrust function; however, if you have disabled this feature using the ISC_REQ_MANUAL_CRED_VALIDATION flag, you must validate the certificate provided by the server that is attempting to establish its identity."
However, Wine currently does not carry automatic server certificate validation at all. The OSX implementation always calls "SSLSetEnableCertVerify(s->context, FALSE)" to disable it explicitly. The GnuTLS implementation never calls "gnutls_session_set_verify_cert", which would be required to enable server certificate validation.
This is because we would need to use Win32 APIs to verify the certificate. That way we have access to the right CA certificate store and apply the right policy.
Strictly speaking, the current implementation of Schannel in Wine is insecure, but fixing it would require more extensive changes to the code and could cause regression bugs with other applications. Thus, I argue it should be dealt with by another bug entry and fixed by another patch.
Therefore, the attached patch restricts itself to return ISC_RET_MANUAL_CRED_VALIDATION when ISC_REQ_MANUAL_CRED_VALIDATION is set, and to better document the current situation in the code.
That's fine. You may also want to add test case.