Errors when trying to authenticate with OIDCSSLValidateServer on

[GRRedWings]

When I use the release artifacts to authenticate a user I have OIDCSSLValidateServer set to on, and I specify a crt file with OIDCCABundlePath. Everything works fine.

When I try to build the library for Windows I get an error

schannel: CertGetCertificateChain trust error CERT_TRUST_IS_PARTIAL_CHAIN

What I've noticed is that the release build is using an older version of libcurl and OpenSSL
oidc_http_call: set HTTP request header User-Agent to: [dwe-server:38080:9] mod_auth_openidc-2.4.15.7 libcurl-7.58.0 OpenSSL 1.1.1 11 Sep 2018

With the Windows version it is using recent versions

oidc_http_call: set HTTP request header User-Agent to: [dwe-server:38080:81788] mod_auth_openidc-0.0.0 libcurl-8.7.0-DEV openssl-3.3.0

Noticing that the library appears to use OpenSSL 1.1.1, is there any plan to upgrade this? Is it possible that my issues are with a newer version of the libraries not being compatible with the configurations that are currently being used under the release build?

[zandbelt]

release artifacts are compiled against the OpenSSL version that comes with the distribution, there's no hardcoded dependency, any OpenSSL >= 1.0.0 will do

[GRRedWings]

Using the official build binaries and a dockerfile I build a custom Apache docker image. I typically combine it with the mod_oauth2 library. In trying to understand this better and use a newer version of OpenSSL, I keep getting errors that libcjose0 requires libssl1.1. If both mod_auth_openidc and lib_auth depend on cjose, how would I create an image with a newer version of libssl?

I've tried to go through the documentation and understand why having ValidateServer on does not work on Windows with my OIDCCABundlePath, but works fine in a Linux environment. I understand there must be something different, but what I don't see.

[GRRedWings]

In spending more time on this, I believe initially that I was using a single certificate instead of the chain, which makes sense to the PARTIAL_CHAIN error. Now with the chain, I get a different error. This error seems to indicate that it knows my cert is self-signed and will not trust it. In searching for answers, it seems like a command line curl command I might use a -k flag, in reading about libcurl there is discussion about using CURLOPT_CAINFO. What is OIDCCABundlePath expecting me to pass in? I must be passing in the wrong thing but I'm struggling figuring out what is wrong with what I'm passing in?

[Thu May 02 14:25:23.366464 2024] [auth_openidc:error] [pid 68100:tid 1140] [client 192.168.1.32:57936] oidc_http_call: curl_easy_perform(1/2) failed for https://my-server/realms/MyRealm/.well-known/openid-configuration with: [schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN]