KartikBhadeshiya-2958 avatar image
0 Votes"
KartikBhadeshiya-2958 asked RichMatheisen-8856 commented

curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092013)

I have a Cisco ISE application which does posture of endpoint by remoteshell / WinRM service using local admin privilege. All looks fine, application is able to get access to Window's RemoteShell, able to push script with curl code to endpoint and end point does initiate the script.

The curl script on endpoint tries to hit the appliance url : https:\\ to download the file but end up with failed attempt with error - "curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092013) - The revocation function was unable to check revocation because the revocation server was offline."

When checked the CRL test from endpoint to see if any CDP path is broken which could turn such error, but CDP path test seems fine as i don't see any error or see the test verification for complete certificate chain gets completed.

Below output for CDP path test (masked original crl url) :

---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0 b0e971dc53eaasfh39sfqw879fd90s04fj7d91a8d1

---------------- Certificate CDP ----------------
Verified "Base CRL (02d9)" Time: 1 f12ad2nf834bd9ene9fn09163b2a050350f1652

---------------- Base CRL CDP ----------------
No URLs "None" Time: 0 (null)
---------------- Certificate OCSP ----------------
Verified "OCSP" Time: 0 139e350f31f2a2j49g8enf9ew4gjv0499011d016845

Appreciate suggestion or input for further checks on endpoint to get rid of the error if anyone have dealt with same sort of problem.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

RichMatheisen-8856 avatar image
0 Votes"
RichMatheisen-8856 answered RichMatheisen-8856 commented

I should probably leave this for security folks to answer (but it's tagged for PowerShell too), but is it possible you're trying to check for the CA certificates revocation on the root CA and the CA is off-line (as it should be)?

FYI, the subject for your post says the error is 0x80092012, but the error in the post itself says 0x80091213.

This might help: revocation-server-offline-error-0x80092013

· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@RichMatheisen-8856 , Thanks for highlighting the discrepancy in error code, it was a typo and have corrected it. Actual error is 0x80092013.

Well, i have gone through the link - revocation-server-offline-error-0x80092013, and same certutil -urlfetch test are always successful for complete certificate chain and i don't see anywhere the path is broken and if I'm not wrong then from endpoint CRL checks happens to CDP point mentioned in certificate only, means the CDP point is up and server is online. Anyways I'm neophyte at certificate authority and curl so please excuse my ignorance.

Please let me know if there is any way if it can be checked - in what scenario we might see such error wherein actual CDP point is up and certutil -urlfetch is successful for complete chain ? - this may be for security/CA experts.

0 Votes 0 ·
KartikBhadeshiya-2958 avatar image KartikBhadeshiya-2958 KartikBhadeshiya-2958 ·

To add on with some more details, i have further checked by packet capture and i see difference when the CRL check done through certutil and when done from powershell/curl while hitting https:\\

For CRL check by running certutil - in packet capture i actually see the http get required sent to proxy server for crl url (CDP point).

Now when the http url is hit in curl - i don't see any such query generated for CRL check to CDP in packet capture.

Not exactly sure what difference it make when CDP check is done manually through certutil and when done by curl while hitting the http:\\, but seems when done by curl its failing even without initiating the request to CDP.

0 Votes 0 ·
RichMatheisen-8856 avatar image RichMatheisen-8856 KartikBhadeshiya-2958 ·

In PowerShell "curl" is an alias for the Invoke-WebRequest cmdlet. It isn't the *nix "curl" utility (or a Windows .exe equivalent).

So, can you clarify the "remoteshell / WinRM" part of the problem? Are you using "winrs" or "Invoke-Command" to run your script on the remote machine? BOTH use WinRM, but the code that's run is very different!

0 Votes 0 ·
Show more comments