curl: (35) schannel: next InitializeSecurityContext failed - The revocation function was unable to check revocation for the certificate

Question

tl;dr How can I fix "The revocation function was unable to check revocation for the certificate" when using a custom proxy+cert combination? Can I disable this check somehow for the whole system?

I'm on a Windows 11 machine, trying to use a system proxy and also force the use of the proxy for non-standard tools on the system like cURL or wget. Currently I can see the proxy being used for normal operations through a web browser and powershell. However, if I try to do something from a cmd terminal, I can see the proxy being used but the connections fail:

Microsoft Windows [Version 10.0.22621.1992]
(c) Microsoft Corporation. All rights reserved.

C:\Users\me> curl https://my.cool.app.com/servicehealth
curl: (35) schannel: next InitializeSecurityContext failed: 
   Unknown error (0x80092012) - 
   The revocation function was unable to check revocation for the certificate.

C:\Users\me>echo %SSL_CERT_FILE%
C:\Users\me\Desktop\Fiddler_Root_Certificate_Authority.pem

C:\Users\me>echo %REQUESTS_CA_BUNDLE%
C:\Users\me\Desktop\Fiddler_Root_Certificate_Authority.pem

C:\Users\me>echo %https_proxy%
10.211.55.2:8866

As you can tell from the output above, I'm trying to route all traffic through a Fiddler proxy on another machine. My test above is just to demonstrate the problem, I know I can pass flags to curl to disable the revocation check, but I can't do that for all applications on my machine that may use something like curl in their SDK.

This is a debugging machine (VM) that I control -- I care little about the security implications around getting this working.

Answer 1

TL;DR

For curl, use command line option --ssl-revoke-best-effort (see https://curl.se/docs/manpage.html) or add ssl-revoke-best-effort on a single line to the file .curlrc in your user directory.

Explanation:

The problem is most certainly a missing/wrong/unreachable CRL URI in the server's certificate.

With openssl you can inspect the certificate chain provided by the server:

echo | openssl s_client -showcerts my.cool.app.com:443

Now save the portions between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- into individual files and view the certificate data via

openssl x509 -noout -text -in /path/to/certificate.crt

The section X509v3 CRL Distribution Points: gives you the address for the certificate revocation status to be evaluated against:

        X509v3 extensions:
            X509v3 CRL Distribution Points:
                Full Name:
                  URI:http://my.cool.app.com/path/to/some.crl

If this is unreachable or missing, this will lead to "The revocation function was unable to check revocation for the certificate."

Now instead of using --insecure, this will at least check the certificates, omitting the revocation status - which is fine, if the certificate does not provide this info, and kind of acceptable compromise, if the CRL provider is unreachable...