If you will experience following error codes:
curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed
Process exited with code 35
Error code: -2146233088
In most cases your machine can’t check CRL (Certificate Revocation List) or AIA Extension (Authority Information Access) servers.
If you will simulate a request with [curl/curl.exe] -v https://some-service.contoso.com
with -insecure
parameter it will proceed because HTTPS certificate is not validated.
To solve the issue you need to find the CRL/AIA endpoint from your machine. Such information is stored in issued certificate so you need to download it over the openssl/browser/curl
or any different way to obtain it.
If you’re in an AirGapped environment and you filter traffic based on IP address list this won’t be easy solution since it will require network traffic debugging (Wireshark, collecting geo-load balancers IP addresses etc…).
If you know how to easily identify CRL server IP address with regular tools you can post answer here: How to get CRL IP address during TLS handshake in air gap environment
Tips to validate certificate path:
- To obtain CRL the request goes via HTTP protocol. Once CRL is obrained, client knows if HTTPS trafic is trusted in order to establish HTTPS session. It means port 80 and 443 must be open.
- Check issued certificate endpoints if client can reach them simply via curl (examples are for illustrative purposes you will need to get correct one from your certificate!):
- CRL Distribution Points:
- Example #1:
curl -v http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl -o microsoftrootcert.crl
- Example #2:
curl -v http://crl.godaddy.com/gdig2s1-3832.crl -o gdig2s1-3832.crl
- Example #1:
- AIA Extensions:
- Online Certificate Status Protocol
- Example:
curl -L -v http://ocsp.godaddy.com
- Example:
- CA Issuers
- Example:
curl -v http://certificates.godaddy.com/repository/gdig2.crt -o gdig2.crt
- Example:
- Online Certificate Status Protocol
- CRL Distribution Points:
- Microsoft systems:
Result of these steps should be to validate your network path from system having issues is open (not blocked by any firewall/network filter) and also identify possible IP addresses. Better case to whitelist such services would be over DNS firewall instead of IP based firewall whitelist.