From 69d24d042d8475be161016af46dad646dd07a0b8 Mon Sep 17 00:00:00 2001
From: masariello <masariello@users.noreply.github.com>
Date: Tue, 7 Nov 2023 11:40:12 +0000
Subject: [PATCH] pull certificates from CA store on Windows, additionally to
 current Root system certificate store

---
 ssl.c | 41 +++++++++++++++++++++++------------------
 1 file changed, 23 insertions(+), 18 deletions(-)

diff --git a/ssl.c b/ssl.c
index 21ff35932..2dd70ba08 100644
--- a/ssl.c
+++ b/ssl.c
@@ -288,27 +288,32 @@ redisSSLContext *redisCreateSSLContextWithOptions(redisSSLOptions *options, redi
     if (capath || cacert_filename) {
 #ifdef _WIN32
         if (0 == strcmp(cacert_filename, "wincert")) {
-            win_store = CertOpenSystemStore(NULL, "Root");
-            if (!win_store) {
-                if (error) *error = REDIS_SSL_CTX_OS_CERTSTORE_OPEN_FAILED;
-                goto error;
-            }
-            X509_STORE* store = SSL_CTX_get_cert_store(ctx->ssl_ctx);
-            while (win_ctx = CertEnumCertificatesInStore(win_store, win_ctx)) {
-                X509* x509 = NULL;
-                x509 = d2i_X509(NULL, (const unsigned char**)&win_ctx->pbCertEncoded, win_ctx->cbCertEncoded);
-                if (x509) {
-                    if ((1 != X509_STORE_add_cert(store, x509)) ||
-                        (1 != SSL_CTX_add_client_CA(ctx->ssl_ctx, x509)))
-                    {
-                        if (error) *error = REDIS_SSL_CTX_OS_CERT_ADD_FAILED;
-                        goto error;
+            char const* const subsystems[2] = { "Root", "CA" };
+            for (int i=0; i<2; ++i)
+            {
+                char const * const subsys = subsystems[i];
+                win_store = CertOpenSystemStore(0, subsys);
+                if (!win_store) {
+                    if (error) *error = REDIS_SSL_CTX_OS_CERTSTORE_OPEN_FAILED;
+                    goto error;
+                }
+                X509_STORE* store = SSL_CTX_get_cert_store(ctx->ssl_ctx);
+                while (0 != (win_ctx = CertEnumCertificatesInStore(win_store, win_ctx))) {
+                    X509* x509 = NULL;
+                    x509 = d2i_X509(NULL, (const unsigned char**)&win_ctx->pbCertEncoded, win_ctx->cbCertEncoded);
+                    if (x509) {
+                        if ((1 != X509_STORE_add_cert(store, x509)) ||
+                            (1 != SSL_CTX_add_client_CA(ctx->ssl_ctx, x509)))
+                        {
+                            if (error) *error = REDIS_SSL_CTX_OS_CERT_ADD_FAILED;
+                            goto error;
+                        }
+                        X509_free(x509);
                     }
-                    X509_free(x509);
                 }
+                CertFreeCertificateContext(win_ctx);
+                CertCloseStore(win_store, 0);
             }
-            CertFreeCertificateContext(win_ctx);
-            CertCloseStore(win_store, 0);
         } else
 #endif
         if (!SSL_CTX_load_verify_locations(ctx->ssl_ctx, cacert_filename, capath)) {