CURL: The revocation function was unable to check revocation for the certificate

Two days ago I was trying to install Istio on a Minikube installation on my personal laptop. On Istio installation  documentation page they have a curl command to download the installation script for Istioctl. To my surprise the curl command that I use on Windows 10 showed the following error.

curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.

Obviously this error is shown if the SSL certificate cannot be validated by curl, for example if the URL was serving a self signed certificate. But I was seeing this error when accessing a public URL.

I thought that may be curl executable that comes with Git for Windows that I used is out of date and doesn't work with the latest Windows 10 update. I went ahead and updated Git. But curl still didn't work.

Then I thought that may be there's an issue with the SSL configuration of the website (https://istio.io/downloadIstio) that I'm trying to access, but to my surprise, all HTTPS URLs that I tried to use were giving the same error.

I started suspecting the SSL certificates being served on my laptop. I have had some experience with MiTM attacks performed by intercepting HTTPS traffic. I have also seen this when working inside corporate networks, sometimes Root CA SSL certificates served inside corporate networks for public websites is not public CA certificate but owned and injected by the private company itself. This is probably done to scan HTTPS traffic coming inside the company network.

But here I was trying to do this on my personal laptop and I was not on corporate network. I suspected that it could be related to the VPN client that I was using, but stopping VPN client also didn't resolve the issue.

At this point, I was lost and had suspicions that my laptop had a good old virus.

Well I knew that browsers that I was using didn't have any issue opening these sites so I inspected the certificate details of https://google.com and here is what I saw.

As you can see root certificate chain doesn't look right. I indeed have Kaspersky antivirus installed on my laptop. After some googling I found that it's a standard practice among antiviruses to install a self signed CA root certificate on machines where they are running on. This CA certificate is then used by antiviruses to decrypt all HTTPs traffic to inspect for malware. Antiviruses claim that this CA certificate never leaves customer's machine so no one else is able to perform MiTM on the customer.

In my case this option in Kaspersky was enabled by default.

Here's the link to the stackexchange discussion on the same practice

https://security.stackexchange.com/questions/148402/should-antivirus-https-scanning-be-left-on-is-it-secure

I didn't want Kaspersky to inspect my SSL traffic, I know that it has as much control over my laptop as possible already but that's where I draw the line. It should not break my curl :)

Now I knew that I had to disable this setting in Kaspersky to get curl to work, but as always it's not easy to find.

After going through the settings for a few minutes I finally found it and I'm going to put the steps below.

1. Click on the settings icon (gear icon at the bottom left corner)
2. Click on the last option Additional
3. Click on Network option
4. And there's the option to disable HTTPS inspection

After doing this certificate details in browsers started looking ok for example, see the screeshot for https://google.com again. Most of all curl also started working.

Another day, another bug.

...till next time