I have an application written using winhttp ver 5.0 as an underlying
component to communicate with ISAPI component installed on IIS. It works
fine when the certificate setting on the IIS is set to "Do not accept Client
Certificate" or "Require Client Certificate".
Under the setting "Require Client Certificates", an winhttp error
"ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED" is raised when an
WinHttpReceiveResponse is being called. This gives me an indication that a
client certificate is required. The function that I have implemented will
allow user to specify the certificate to use for this application. If a
client certificate is available,
my application will use the following winhttp WinHttpSetOption to provide
CERT_CONTEXT.
BOOL bSuccess = ::WinHttpSendRequest ( m_hResource, lpszHeaders,
dwHeadersLength, lpOptional, dwOptionalLength, dwOptionalLength,
NULL
);
hRes = (bSuccess) ? S_OK : HRESULT_FROM_WIN32(GetLastError()) ;
if (SUCCEEDED(hRes))
{
const BOOL bSuccess = ::WinHttpReceiveResponse( m_hResource,
NULL );
hRes = (bSuccess) ? S_OK : HRESULT_FROM_WIN32(GetLastError()) ;
if (SUCCEEDED(hRes) || hRes ==
HRESULT_FROM_WIN32(ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED) )
{
::WinHttpSetOption( m_hResource,
WINHTTP_OPTION_CLIENT_CERT_CONTEXT,
(LPVOID )pCertContext,
sizeof(CERT_CONTEXT) ) )
}
}
Problem occurs when the setting in ISAPI application in IIS is set to
"Accept Certificate". According to on-help on IIS, a client certificate is
optional.
If that the case, my application should be able to send request without
client certificate. But this is not the case using winhttp, I'm still
getting
"ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED". In this case, I do not have a valid
CERT_CONTEXT( as it is not available ). Hence, I can't proceed to receive
data from my ISAPI application.
Does anyone has any clue to resolve this problem.
Thank in advance.
The program was compiled with WinHttp 5.0 (downloaded few
days ago) and tested under Win XP Pro (IIS 5.1) on a computer
without any client certificates installed.
The program tries to access https://localhost/index.htm. When IIS
setting is set to "Ignore client certificates", both the sample program
and IE can access the above file. When IIS setting is changed to
"Accept client certificates", the program fails (WinHttpReceiveResponse
returns 12044 - client certificate needed), but IE happily reads the file.
The same happens on NT 4.0 with IIS 4.0.
Any feedback would be greatly appreciated.
Sample program:
DWORD dwSize = 0;
DWORD dwDownloaded = 0;
LPSTR pszOutBuffer;
BOOL bResults = FALSE;
HINTERNET hSession = NULL, hConnect = NULL, hRequest = NULL;
hSession = WinHttpOpen( L"WinHTTP Example/1.0",
WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
WINHTTP_NO_PROXY_NAME,
WINHTTP_NO_PROXY_BYPASS, 0);
if (hSession)
hConnect = WinHttpConnect( hSession, L"localhost",
INTERNET_DEFAULT_HTTPS_PORT, 0);
if (hConnect)
hRequest = WinHttpOpenRequest( hConnect, L"GET", L"/index.htm",
NULL, WINHTTP_NO_REFERER,
WINHTTP_DEFAULT_ACCEPT_TYPES,
WINHTTP_FLAG_SECURE);
if (hRequest)
bResults = WinHttpSendRequest( hRequest,
WINHTTP_NO_ADDITIONAL_HEADERS, 0,
WINHTTP_NO_REQUEST_DATA, 0,
0, 0);
if (bResults)
bResults = WinHttpReceiveResponse( hRequest, NULL);
if (bResults)
do
{ dwSize = 0;
if (!WinHttpQueryDataAvailable( hRequest, &dwSize))
printf("Error %u in
WinHttpQueryDataAvailable.\n",GetLastError());
pszOutBuffer = new char[dwSize+1];
if (!pszOutBuffer)
{ printf("Out of memory\n");
dwSize=0; }
else
{ ZeroMemory(pszOutBuffer, dwSize+1);
if (!WinHttpReadData( hRequest, (LPVOID)pszOutBuffer,
dwSize, &dwDownloaded))
printf("Error %u in WinHttpReadData.\n",
GetLastError());
else
printf("%s", pszOutBuffer);
delete [] pszOutBuffer;
}
} while (dwSize>0);
if (!bResults)
printf("Error %d has occurred.\n",GetLastError());
if (hRequest) WinHttpCloseHandle(hRequest);
if (hConnect) WinHttpCloseHandle(hConnect);
if (hSession) WinHttpCloseHandle(hSession);
"Randy Wong" <rw...@keycorp.net> wrote in message
news:eU7qBO8UCHA.2704@tkmsftngp13...
Unfortunately, this is a limitation in WinHTTP: it treats a server that
"accepts a client certificate" as one that "requires a client certificate".
So your application will need to handle the 12044 "client cert needed" error
code and supply a certificate.
This problem is not fixed in WinHTTP version 5.1 either.
Regards,
Stephen Sulzer
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
"Randy Wong" <rand...@hotmail.com> wrote in message
news:OSGgaHLVCHA.3980@tkmsftngp08...