Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

winhttp does not work properly when the IIS setting is set to "Accept Certificate"

417 views
Skip to first unread message

Randy Wong

unread,
Sep 3, 2002, 11:31:39 PM9/3/02
to
Hello,

I have an application written using winhttp ver 5.0 as an underlying
component to communicate with ISAPI component installed on IIS. It works
fine when the certificate setting on the IIS is set to "Do not accept Client
Certificate" or "Require Client Certificate".

Under the setting "Require Client Certificates", an winhttp error
"ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED" is raised when an
WinHttpReceiveResponse is being called. This gives me an indication that a
client certificate is required. The function that I have implemented will
allow user to specify the certificate to use for this application. If a
client certificate is available,
my application will use the following winhttp WinHttpSetOption to provide
CERT_CONTEXT.

BOOL bSuccess = ::WinHttpSendRequest ( m_hResource, lpszHeaders,
dwHeadersLength, lpOptional, dwOptionalLength, dwOptionalLength,
NULL
);
hRes = (bSuccess) ? S_OK : HRESULT_FROM_WIN32(GetLastError()) ;

if (SUCCEEDED(hRes))
{
const BOOL bSuccess = ::WinHttpReceiveResponse( m_hResource,
NULL );
hRes = (bSuccess) ? S_OK : HRESULT_FROM_WIN32(GetLastError()) ;

if (SUCCEEDED(hRes) || hRes ==
HRESULT_FROM_WIN32(ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED) )
{
::WinHttpSetOption( m_hResource,

WINHTTP_OPTION_CLIENT_CERT_CONTEXT,
(LPVOID )pCertContext,


sizeof(CERT_CONTEXT) ) )
}
}

Problem occurs when the setting in ISAPI application in IIS is set to
"Accept Certificate". According to on-help on IIS, a client certificate is
optional.
If that the case, my application should be able to send request without
client certificate. But this is not the case using winhttp, I'm still
getting
"ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED". In this case, I do not have a valid
CERT_CONTEXT( as it is not available ). Hence, I can't proceed to receive
data from my ISAPI application.

Does anyone has any clue to resolve this problem.


Thank in advance.


Randy Wong

unread,
Sep 5, 2002, 3:57:47 AM9/5/02
to
To reproduce the problem, just compile and run sample WinHttp
program taken from Microsoft site. The code can be found below.

The program was compiled with WinHttp 5.0 (downloaded few
days ago) and tested under Win XP Pro (IIS 5.1) on a computer
without any client certificates installed.

The program tries to access https://localhost/index.htm. When IIS
setting is set to "Ignore client certificates", both the sample program
and IE can access the above file. When IIS setting is changed to
"Accept client certificates", the program fails (WinHttpReceiveResponse
returns 12044 - client certificate needed), but IE happily reads the file.
The same happens on NT 4.0 with IIS 4.0.

Any feedback would be greatly appreciated.

Sample program:

DWORD dwSize = 0;
DWORD dwDownloaded = 0;
LPSTR pszOutBuffer;
BOOL bResults = FALSE;
HINTERNET hSession = NULL, hConnect = NULL, hRequest = NULL;

hSession = WinHttpOpen( L"WinHTTP Example/1.0",
WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
WINHTTP_NO_PROXY_NAME,
WINHTTP_NO_PROXY_BYPASS, 0);

if (hSession)
hConnect = WinHttpConnect( hSession, L"localhost",
INTERNET_DEFAULT_HTTPS_PORT, 0);

if (hConnect)
hRequest = WinHttpOpenRequest( hConnect, L"GET", L"/index.htm",
NULL, WINHTTP_NO_REFERER,
WINHTTP_DEFAULT_ACCEPT_TYPES,
WINHTTP_FLAG_SECURE);

if (hRequest)
bResults = WinHttpSendRequest( hRequest,
WINHTTP_NO_ADDITIONAL_HEADERS, 0,
WINHTTP_NO_REQUEST_DATA, 0,
0, 0);

if (bResults)
bResults = WinHttpReceiveResponse( hRequest, NULL);

if (bResults)
do
{ dwSize = 0;
if (!WinHttpQueryDataAvailable( hRequest, &dwSize))
printf("Error %u in
WinHttpQueryDataAvailable.\n",GetLastError());

pszOutBuffer = new char[dwSize+1];
if (!pszOutBuffer)
{ printf("Out of memory\n");
dwSize=0; }
else
{ ZeroMemory(pszOutBuffer, dwSize+1);

if (!WinHttpReadData( hRequest, (LPVOID)pszOutBuffer,
dwSize, &dwDownloaded))
printf("Error %u in WinHttpReadData.\n",
GetLastError());
else
printf("%s", pszOutBuffer);

delete [] pszOutBuffer;
}
} while (dwSize>0);

if (!bResults)
printf("Error %d has occurred.\n",GetLastError());

if (hRequest) WinHttpCloseHandle(hRequest);
if (hConnect) WinHttpCloseHandle(hConnect);
if (hSession) WinHttpCloseHandle(hSession);


"Randy Wong" <rw...@keycorp.net> wrote in message
news:eU7qBO8UCHA.2704@tkmsftngp13...

Stephen Sulzer (Microsoft)

unread,
Sep 5, 2002, 1:01:42 PM9/5/02
to
Hello,

Unfortunately, this is a limitation in WinHTTP: it treats a server that
"accepts a client certificate" as one that "requires a client certificate".
So your application will need to handle the 12044 "client cert needed" error
code and supply a certificate.

This problem is not fixed in WinHTTP version 5.1 either.

Regards,

Stephen Sulzer
Microsoft Corporation


This posting is provided "AS IS" with no warranties, and confers no rights.


"Randy Wong" <rand...@hotmail.com> wrote in message
news:OSGgaHLVCHA.3980@tkmsftngp08...

0 new messages