I had a little time to investigate a bit deeper the issue that I've been having for awhile.
I'm behind a corporate proxy that inspects the traffic, by breaking the TLS at the edge. The connection to the the client (WinSCP
) is secured with a certificate issued by the edge appliance. The root CA and the intermediate are pushed to the domain machines by a domain policy. Chrome
etc. have no issues, apps that bring their own crypto (like git
) need to have their CA root store updated and work fine after that.
WinSCP however does not
. It throws Error: 80092012
Which is "The revocation function was unable to check revocation for the certificate.
I downloaded the source, though without C++ Builder (and being 25 years out of the C++ world) it is not easy to follow. The best candidate for where the error happens seem to be
I can see that it goes for checking with
CERT_CHAIN_CACHE_END_CERT | CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT
and yes, the end certificate will fail this check as it doesn't list a revocation URL at all (the intermediate does).
What I don't understand is why it fails
on two Windows Server Machines (2016 & 2019), but it does not
fail on my Windows 10 machine.
I plucked out the function (WindowsValidateCertificate
) into a test application and the test application failed the same way on all platforms.
So, if I read it correctly, WinSCP is using neon
. And it resorts to calling WindowsValidateCertificate
only after neon's SSL validation failed.
is used as a command-line tool, one can specify CAfile
to point it to the trusted root certificates.
Where is the default root CA location and how can it be changed when OpenSSL
is used as a library? Where is WinSCP trusted root CA store?