https://bugs.winehq.org/show_bug.cgi?id=55105
--- Comment #5 from Hans Leidekker hans@meelstraat.net --- (In reply to Ethan Lee from comment #4)
Someone did a bit of digging and found that the Proton 7.0 branch successfully logged in, which was surprising - it turns out there are a few patches that made it work:
https://github.com/ValveSoftware/wine/commit/ d8c2086d0e34450c9b8b5a85466a307a7fc708de https://github.com/ValveSoftware/wine/commit/ 6d4dbf0762863f6f1f9dc4738258e98af05f06ec https://github.com/ValveSoftware/wine/commit/ 7f18691e39d8de6668e3451f63b0326352b964f1
Interestingly this is _not_ in the 8.0 branch, so in addition to being downstream it seems like they got cut for some reason. These appear to bypass the CERT_NEEDED error altogether in favor of just renegotiating as soon as gnutls asks for it.
Those patches look good to go upstream. The problem is that they need changes in secur32 too and the patch that was in Proton 7 doesn't look quite right to me. I ported the above winhttp patches to current Wine and fixed secur32 to handle renegotiate better but the winhttp tests still fail.
To fix that we need to be able to distinguish renegotiate requests that require the app to supply a certificate from other renegotiate requests (which can be handled transparently). I haven't yet found a way to do that with GnuTLS.