Version
Cb Protection Agent 7.2.x
Issue
Cb Protection agent calls CertGetCertificateChain to perform CRL checks and build the certificate chain context. This can trigger a network request via WinHTTP to verify revocation status. WinHTTP should honor locally defined proxy settings however the user observes a direct OCSP connection rather than using the designated proxy.
Symptoms
Captured netsh (scenario=InternetClient) and CAPI2 logs show this network connection come into existence.
Cause
On 64-bit Windows machines there are two separate "netsh" commands and settings. In this case, the 64-bit netsh was being set to the proxy.
However Cb Protection is a 32-bit application.
Solution
Once the 32-bit netsh was called as below to point to the proxy server, OCRL calls starting respecting the proxy server settings:
c:\winidows\syswow64\netsh winhttp set proxy myproxy:80
c:\winidows\syswow64\netsh winhttp show proxy