schannel: fix revoke_best_effort setting for proxy

- Fix revoke_best_effort reading wrong ssl config.

Prior to this change the revoke_best_effort setting for the proxy was
wrongly ignored in favor of the same setting for the destination host.

In other words, CURLSSLOPT_REVOKE_BEST_EFFORT set via
CURLOPT_PROXY_SSL_OPTIONS did not apply to the proxy and
CURLSSLOPT_REVOKE_BEST_EFFORT set via CURLOPT_SSL_OPTIONS wrongly
applied to the proxy.

Closes https://github.com/curl/curl/pull/21683

diff --git a/lib/vtls/schannel_verify.c b/lib/vtls/schannel_verify.c
index 486fd6e00581da8d706559fedec44a48a3e2b987..25b13955f2645a4796c3bf2767f87b78c85f3145 100644 (file)
--- a/lib/vtls/schannel_verify.c
+++ b/lib/vtls/schannel_verify.c
@@ -805,7 +805,7 @@ CURLcode Curl_verify_certificate(struct Curl_cfilter *cf,
       DWORD dwTrustErrorMask = ~(DWORD)(CERT_TRUST_IS_NOT_TIME_NESTED);
       dwTrustErrorMask &= pSimpleChain->TrustStatus.dwErrorStatus;
 
-      if(data->set.ssl.revoke_best_effort) {
+      if(ssl_config->revoke_best_effort) {
         /* Ignore errors when root certificates are missing the revocation
          * list URL, or when the list could not be downloaded because the
          * server is currently unreachable. */