Version

Cb Protection Agent 7.2.x

Issue

Cb Protection agent calls CertGetCertificateChain to perform CRL checks and build the certificate chain context. This can trigger a network request via WinHTTP to verify revocation status. WinHTTP should honor locally defined proxy settings however the user observes a direct OCSP connection rather than using the designated proxy.

Symptoms

Captured netsh (scenario=InternetClient) and CAPI2 logs show this network connection come into existence.

Cause

On 64-bit Windows machines there are two separate "netsh" commands and settings. In this case, the 64-bit netsh was being set to the proxy.

However Cb Protection is a 32-bit application.

Solution

Once the 32-bit netsh was called as below to point to the proxy server, OCRL calls starting respecting the proxy server settings:

c:\winidows\syswow64\netsh winhttp set proxy myproxy:80

c:\winidows\syswow64\netsh winhttp show proxy