Weird behaviour with SSL and unknown certificates (Err 12045)
nino
I'd like to get some opinions on something that I found very strange when
working with WinInet and SSL.
The story is as follows:
I've created a program using WinInet that automatically logs on the local
network(needed for internet access). The logging in is done via a cgi-script
and using SSL. Now, the program worked fine until 02/23 when it suddenly
couldn't log in anymore. Errorchecking revealed that HttpSendRequest failed
with GetLastError() == 12045 ( ERROR_INTERNET_INVALID_CA ). From the msdn:
"This error occurs when the client does not know about the certificate
authority that issued the server certificate."
Searching the msdn I found the following solution(in KB: Q182888 ):
...
Again:
if (!HttpSendRequest (hReq,...))
dwError = GetLastError ();
if (dwError == ERROR_INTERNET_INVALID_CA)
{
DWORD dwFlags;
DWORD dwBuffLen = sizeof(dwFlags);
InternetQueryOption (hReq, INTERNET_OPTION_SECURITY_FLAGS,
(LPVOID)&dwFlags, &dwBuffLen);
dwFlags |= SECURITY_FLAG_IGNORE_UNKNOWN_CA;
InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS,
&dwFlags, sizeof (dwFlags) );
goto again;
}
...
However, having tried this and several variations on the same theme I was
still unable to perform the logging in, getting the server response:
...
400 Bad Request
...
Your browser sent a request that this server could not understand.
Invalid Content-Length 45, 45
...
First of all, I knew there was nothing wrong with the headers, having not
modified the code dealing with them and having had a working program before.
Secondly, it only produced the error and erronous server output once! Trying
to login once more, after the first unsuccesfull attempt, always succeded! I
indeed found this strange, considering that all the handles are local to the
login function and opened and closed within the function. Experimenting some
more, I narrowed down the essential steps that had to be down to get it to
work and came up with the following:
Note that this only has to be done to get it to work the first time, for any
subsequent calls to the login function the first HttpSendRequest will
succeed.
1. Open up all handles needed for HttpSendRequest.
2. Call HttpSendRequest.
in case of failure (will always fail first time function is called):
3. Process the ERROR_INTERNET_INVALID_CA error as shown above with
InternetQueryOption and InternetSetOption.
4. Read the error 400 output from the server.
5. Close the request handle.
6. Open the request handle again.
7. Call HttpSendRequest again, wich will succed this time, successfully
logging in.
Although working, it's not exactly the ideal solution. I also find it very
strange that the option modifications seems to apply to all later
connections, even though the original handle for which the option was set is
closed.
My configuration is as follows:
Win98 SE
Internet explorer 5.0 installed with WinInet.DLL version 5.00.2614.3500.
Let me know if there's some info missing.
So, anyone got any comments?
/ Nino