Skip to content

fix: use readSignedObject for TLS client cert validation on Windows#5150

Merged
paolino merged 4 commits into
masterfrom
paolino/5110/windows-tls-fix
Feb 11, 2026
Merged

fix: use readSignedObject for TLS client cert validation on Windows#5150
paolino merged 4 commits into
masterfrom
paolino/5110/windows-tls-fix

Conversation

@paolino

@paolino paolino commented Feb 11, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Summary

  • Fix requireClientAuth to use readSignedObject + makeCertificateStore instead of readCertificateStore
  • readCertificateStore from crypton-x509-store fails on Windows when given a single PEM file, causing the server to reject all client certificates with CertificateUnknown
  • Includes Windows TLS diagnostic workflow for cert store visibility

Fixes #5110

Test

All 6 TLS unit tests pass on Linux:

Cardano.Wallet.Application.Tls
  TLS Client Authentication
    Can create a TLS default manager [✔]
    Check security program is available [✔]
    Can create a TLS manager [✔]
    Respond to authenticated client if TLS is enabled [✔]
    Deny client with wrong certificate if TLS is enabled [✔]
    Properly deny HTTP connection if TLS is enabled [✔]

Needs Windows CI validation — will trigger once #5142 merges (re-enables wallet-application-tls in Windows CI).

@paolino paolino changed the title ci: Windows TLS certificate diagnostic fix: use readSignedObject for TLS client cert validation on Windows Feb 11, 2026
@paolino paolino force-pushed the paolino/5110/windows-tls-fix branch from 506d217 to c06c1c6 Compare February 11, 2026 10:44
@paolino
ci: add Windows TLS diagnostic workflow
4f6c5e0 
Diagnostic-only workflow to verify certificate stores on the
Windows runner and confirm the root cause of #5110.
@paolino
fix: use readSignedObject for TLS client cert validation on Windows
a6f8444 
readCertificateStore fails on Windows when given a PEM file, causing
the server to reject all client certificates. Use readSignedObject +
makeCertificateStore instead, which works cross-platform.
@paolino
feat: re-enable Windows E2E tests with per-exe bundle
59eb08c 
Add ci.artifacts.win64.e2e bundle with e2e exe + wallet + node + cli.
Rewrite windows-e2e.yml to use the new bundle, remove if: false.
@paolino
fix: replace 7z with tar for mithril archive extraction
f437bbb 
Windows runners don't have 7z. Use `tar xzf` which works natively
on both Linux (GNU tar) and Windows 10+ (BSD tar with gzip support).
@paolino paolino force-pushed the paolino/5110/windows-tls-fix branch from 7d6dc58 to f437bbb Compare February 11, 2026 12:19
@paolino paolino self-assigned this Feb 11, 2026
@paolino paolino added the CI/CD CI related label Feb 11, 2026
@paolino paolino merged commit 3941d83 into master Feb 11, 2026
58 of 59 checks passed
@paolino paolino deleted the paolino/5110/windows-tls-fix branch February 11, 2026 12:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@paolino paolino

Labels

CI/CD CI related

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Windows E2E: Haskell TLS fails due to crypton-x509-system not reading Local Machine cert store

1 participant

@paolino