I'm behind a corporate proxy that inspects the traffic, by breaking the TLS at the edge. The connection to the the client (WinSCP) is secured with a certificate issued by the edge appliance. The root CA and the intermediate are pushed to the domain machines by a domain policy. Chrome/Firefox etc. have no issues, apps that bring their own crypto (like
git) need to have their CA root store updated and work fine after that.
WinSCP however does not. It throws Error: 80092012.
Which is "The revocation function was unable to check revocation for the certificate.".
I downloaded the source, though without C++ Builder (and being 25 years out of the C++ world) it is not easy to follow. The best candidate for where the error happens seem to be
I can see that it goes for checking with
CERT_CHAIN_CACHE_END_CERT | CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT
What I don't understand is why it fails on two Windows Server Machines (2016 & 2019), but it does not fail on my Windows 10 machine.
I plucked out the function (
WindowsValidateCertificate) into a test application and the test application failed the same way on all platforms.
So, if I read it correctly, WinSCP is using neon with OpenSSL. And it resorts to calling
WindowsValidateCertificateonly after neon's SSL validation failed.
When OpenSSL is used as a command-line tool, one can specify
-CApathto point it to the trusted root certificates.
Where is the default root CA location and how can it be changed when OpenSSL is used as a library? Where is WinSCP trusted root CA store?