Flags for use with SCHANNEL_CRED
// SCH_CRED_NO_SYSTEM_MAPPER
// This flag is intended for use by server applications only. If this
// flag is set, then schannel does *not* attempt to map received client
// certificate chains to an NT user account using the built-in system
// certificate mapper.This flag is ignored by non-NT5 versions of
// schannel.
//
// SCH_CRED_NO_SERVERNAME_CHECK
// This flag is intended for use by client applications only. If this
// flag is set, then when schannel validates the received server
// certificate chain, is does *not* compare the passed in target name
// with the subject name embedded in the certificate. This flag is
// ignored by non-NT5 versions of schannel. This flag is also ignored
// if the SCH_CRED_MANUAL_CRED_VALIDATION flag is set.
//
// SCH_CRED_MANUAL_CRED_VALIDATION
// This flag is intended for use by client applications only. If this
// flag is set, then schannel will *not* automatically attempt to
// validate the received server certificate chain. This flag is
// ignored by non-NT5 versions of schannel, but all client applications
// that wish to validate the certificate chain themselves should
// specify this flag, so that there's at least a chance they'll run
// correctly on NT5.
//
// SCH_CRED_NO_DEFAULT_CREDS
// This flag is intended for use by client applications only. If this
// flag is set, and the server requests client authentication, then
// schannel will *not* attempt to automatically acquire a suitable
// default client certificate chain. This flag is ignored by non-NT5
// versions of schannel, but all client applications that wish to
// manually specify their certicate chains should specify this flag,
// so that there's at least a chance they'll run correctly on NT5.
//
// SCH_CRED_AUTO_CRED_VALIDATION
// This flag is the opposite of SCH_CRED_MANUAL_CRED_VALIDATION.
// Conservatively written client applications will always specify one
// flag or the other.
//
// SCH_CRED_USE_DEFAULT_CREDS
// This flag is the opposite of SCH_CRED_NO_DEFAULT_CREDS.
// Conservatively written client applications will always specify one
// flag or the other.
//
// SCH_CRED_DISABLE_RECONNECTS
// This flag is intended for use by server applications only. If this
// flag is set, then full handshakes performed with this credential
// will not be marked suitable for reconnects. A cache entry will still
// be created, however, so the session can be made resumable later
// via a call to ApplyControlToken.
//
//
// SCH_CRED_REVOCATION_CHECK_END_CERT
// SCH_CRED_REVOCATION_CHECK_CHAIN
// SCH_CRED_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT
// These flags specify that when schannel automatically validates a
// received certificate chain, some or all of the certificates are to
// be checked for revocation. Only one of these flags may be specified.
// See the CertGetCertificateChain function. These flags are ignored by
// non-NT5 versions of schannel.
//
// SCH_CRED_IGNORE_NO_REVOCATION_CHECK
// SCH_CRED_IGNORE_REVOCATION_OFFLINE
// These flags instruct schannel to ignore the
// CRYPT_E_NO_REVOCATION_CHECK and CRYPT_E_REVOCATION_OFFLINE errors
// respectively if they are encountered when attempting to check the
// revocation status of a received certificate chain. These flags are
// ignored if none of the above flags are set.
Base URL:
http://code.google.com/p/mirandaimplugins/source/browse/trunk/winssl/schannel.h?r=503
Note:
// This flag is intended for use by server applications only. If this
// flag is set, then schannel does *not* attempt to map received client
// certificate chains to an NT user account using the built-in system
// certificate mapper.This flag is ignored by non-NT5 versions of
// schannel.
//
// SCH_CRED_NO_SERVERNAME_CHECK
// This flag is intended for use by client applications only. If this
// flag is set, then when schannel validates the received server
// certificate chain, is does *not* compare the passed in target name
// with the subject name embedded in the certificate. This flag is
// ignored by non-NT5 versions of schannel. This flag is also ignored
// if the SCH_CRED_MANUAL_CRED_VALIDATION flag is set.
//
// SCH_CRED_MANUAL_CRED_VALIDATION
// This flag is intended for use by client applications only. If this
// flag is set, then schannel will *not* automatically attempt to
// validate the received server certificate chain. This flag is
// ignored by non-NT5 versions of schannel, but all client applications
// that wish to validate the certificate chain themselves should
// specify this flag, so that there's at least a chance they'll run
// correctly on NT5.
//
// SCH_CRED_NO_DEFAULT_CREDS
// This flag is intended for use by client applications only. If this
// flag is set, and the server requests client authentication, then
// schannel will *not* attempt to automatically acquire a suitable
// default client certificate chain. This flag is ignored by non-NT5
// versions of schannel, but all client applications that wish to
// manually specify their certicate chains should specify this flag,
// so that there's at least a chance they'll run correctly on NT5.
//
// SCH_CRED_AUTO_CRED_VALIDATION
// This flag is the opposite of SCH_CRED_MANUAL_CRED_VALIDATION.
// Conservatively written client applications will always specify one
// flag or the other.
//
// SCH_CRED_USE_DEFAULT_CREDS
// This flag is the opposite of SCH_CRED_NO_DEFAULT_CREDS.
// Conservatively written client applications will always specify one
// flag or the other.
//
// SCH_CRED_DISABLE_RECONNECTS
// This flag is intended for use by server applications only. If this
// flag is set, then full handshakes performed with this credential
// will not be marked suitable for reconnects. A cache entry will still
// be created, however, so the session can be made resumable later
// via a call to ApplyControlToken.
//
//
// SCH_CRED_REVOCATION_CHECK_END_CERT
// SCH_CRED_REVOCATION_CHECK_CHAIN
// SCH_CRED_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT
// These flags specify that when schannel automatically validates a
// received certificate chain, some or all of the certificates are to
// be checked for revocation. Only one of these flags may be specified.
// See the CertGetCertificateChain function. These flags are ignored by
// non-NT5 versions of schannel.
//
// SCH_CRED_IGNORE_NO_REVOCATION_CHECK
// SCH_CRED_IGNORE_REVOCATION_OFFLINE
// These flags instruct schannel to ignore the
// CRYPT_E_NO_REVOCATION_CHECK and CRYPT_E_REVOCATION_OFFLINE errors
// respectively if they are encountered when attempting to check the
// revocation status of a received certificate chain. These flags are
// ignored if none of the above flags are set.
Base URL:
http://code.google.com/p/mirandaimplugins/source/browse/trunk/winssl/schannel.h?r=503
Note:
// Although SCH_CRED_AUTO_CRED_VALIDATION is convenient, we have to use
// SCH_CRED_MANUAL_CRED_VALIDATION for three reasons.
// 1. SCH_CRED_AUTO_CRED_VALIDATION doesn't allow us to get the certificate
// context if the certificate validation fails.
// 2. SCH_CRED_AUTO_CRED_VALIDATION returns only one error even if the
// certificate has multiple errors.
// 3. SCH_CRED_AUTO_CRED_VALIDATION doesn't allow us to ignore untrusted CA
// and expired certificate errors. There are only flags to ignore the
// name mismatch and unable-to-check-revocation errors.
