When I attempt to upload a file to my DL server using the dl-wx client,
I receive the error:
"DL connection error: schannel: next InitializeSecurityContext failed:
unknown error (0x80092012) - The revocation function was unable to check
revocation for the certificate" If I uncheck the "Verify SSL
certificate" box, it all works normally.
When I attempt to setup the thunderbird addon with my local DL server,
when I press the "Setup Account" button I receive the message:
"An error occured while setting up the account!" There is no other error
displayed. The error console only shows the GET request to the DL server
that never completes (response is empty, I'm assuming 'cause the
certificate check failed, like with the dl-ws client). It's frustrating
that I don't see any other errors in the console. All the sections are
activated (Net, CDD, JS, etc...). Am i doing something wrong there?
On every failed connection, I get 2 errors in my event log:
schannel#36876 "The certificate received from the remote server has not
validated correctly. The error code is 0x80092012. The SSL connection
request has failed. The attached data contains the server certificate."
schannel#36888 "The following fatal alert was generated: 43. The
internal error state is 552."
Googling the combination of above errors and DL error messages only gave
me results from people who had an improperly implemented certificate chain.
The https://dl.company.com web interface works fine in Firefox and
Internet Explorer. I can connect and upload files.
The https://dl.company.com/rest.php gives me a blank page in all browsers.
The DL server certificate is signed by a trusted root. The certificate
signer uses the CRL distribution point extension and publishes
revocation lists to an http server that is up and running. I assume that
since the certificate validates in Internet explorer that the problem is
not with the windows part of the certificate checking. The plugin and
addon never seem to make any connection to the server hosting the CRLs
(tried wireshark and sysutils Process Monitor).
If the issue is in my PKI, I think that Internet Explorer would fail in
its connection attempt as well (inetcpl has the "check revocations"
option enabled). I'm not sure what other troubleshooting I can do. I
can't seem to get any more information on why the client and addon
connections are failing.
--
Mark
