Smart Card Authentication Broken by Windows Update (CVE-2024-30098) - CAPI/CSP Deprecation

32 views
Skip to first unread message

Everette

unread,
Jan 29, 2026, 3:27:02 PM (13 days ago) Jan 29
to TortoiseSVN

I am writing to report a critical bug that breaks smart card authentication in TortoiseSVN following recent Windows updates. This issue will become a hard failure in April 2026.

The Problem

When using TortoiseSVN to access an SVN repository that requires client certificate authentication with a certificate stored on a smart card, the process now fails.

For years, TortoiseSVN has correctly triggered the Windows certificate selection dialog, allowing users to choose their smart card certificate. However, after the latest Windows security updates, this dialog no longer appears. Instead, TortoiseSVN prompts the user to browse for a local .p12 or .pfx certificate file. This new behavior makes it impossible to use smart card-based certificates for authentication.

I have tested the r29773 nightly build and can confirm that this behavior is still present.

Root Cause: Windows Security Update for CVE-2024-30098

This issue is a direct result of Microsoft's security updates to patch the vulnerability described in CVE-2024-30098 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30098).

This update changes how Windows handles RSA-based certificates. 

Previously, Windows allowed applications to use the legacy Cryptographic Application Programming Interface (CAPI) and its Cryptographic Service Providers (CSP) to access RSA certificate private keys. To enhance security, the update now requires that all RSA-based certificates be accessed via the modern Cryptography API: Next Generation (CNG) and its Key Storage Providers (KSP). 

It appears TortoiseSVN is still using the legacy CAPI/CSP functions to access the certificate store. Now that Windows enforces the use of KSP for these certificates, TortoiseSVN can no longer find or use them, leading to the prompt for a file-based certificate.

Temporary Workaround (with a Hard Deadline)

Microsoft has provided a temporary registry key to revert to the old behavior and allow legacy CAPI access. 

  • Registry Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais
  • Value Name: DisableCapiOverrideForRSA
  • Type: REG_DWORD
  • Value Data: 0

While this registry key restores functionality for now, Microsoft has stated that this workaround will be permanently removed in the Windows update scheduled for April 2026.

After that date, any application not updated to use the KSP/CNG APIs will be unable to access these certificates, with no workaround available.

Broader Impact

This issue is not limited to just smart card users. It will also impact any environment where security policies require RSA private keys to be stored within the Windows certificate store and prohibit having .p12 or .pfx files on the local filesystem.

Reply all
Reply to author
Forward
0 new messages