What can WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR indicate?

[david....@gmail.com]

Hi all,

I'm having a devil of a time diagnosing this issue. We use WinHTTP for HTTPS requests on clients. The server has an (as far as I can tell) properly installed and trusted SSL certificate and we're not using anything fancy like client certificates.

Some customers (Exclusively Win8 users) are reporting intermittent WinHTTP errors connecting to the secure server. These manifest as a WINHTTP_CALLBACK_STATUS_SECURE_FAILURE message sent to the WinHttpStatusCallback function with data set to WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR. Documentation is scant, but best I can tell this looks like a catch-all error. Does anyone know what sort of conditions can cause this? Is this a failure to load/init one of the crypto DLLs?

Automatically retrying the request doesn't seem to help as the error is consistent across a short period of time, but users that report this issue are also able to make successful requests most of the time (~90%). No other OS users report any issues, so I'm inclined to suspect a bug in WinHTTP, but I don't know where to look.

I was able to capture a debug dump during the aforementioned status callback, so I have some state info available (not sure what too look for though. The core I have is using the following WinHTTP module info:

Mapped memory image file: C:\symbols\winhttp.dll\50986FA482000\winhttp.dll
Image path: C:\Windows\System32\winhttp.dll
Image name: winhttp.dll
Timestamp: Mon Nov 05 18:02:12 2012 (50986FA4)
CheckSum: 000833B2
ImageSize: 00082000
File version: 6.2.9200.16451
Product version: 6.2.9200.16451
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft« Windows« Operating System
InternalName: winhttp.dll
OriginalFilename: winhttp.dll
ProductVersion: 6.2.9200.16451
FileVersion: 6.2.9200.16451 (win8_gdr.121105-1502)
FileDescription: Windows HTTP Services
LegalCopyright: ⌐ Microsoft Corporation. All rights reserved.

Do I need to be looking at the sub-module version for the crypto providers? What DLLs should I be looking at? Any help would be greatly appreciated.

Regards,
David Nikdel

[doug.c...@gmail.com]

Hi David -

I hate to be the guy that posts "Me, too", but we're also facing the same challenge and I'm early in the investigative phase. I wanted to write to you and see if you learned anything about this issue since the time you posted?

Thank You in advance and sorry I don't have any valuable insight to share [yet]!

Thanks, doug.

[portab...@gmail.com]

On Wednesday, September 18, 2013 7:47:26 AM UTC-7, david....@gmail.com wrote:

Just in case anyone else happens to stop by ...

WINHTTP_CALLBACK_STATUS_SECURE_FAILURE/WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR can be caused by attempting an https query to an http socket (e.g. https://facebook.com:80). But, this occurs on both Windows 7 and 8, so it doesn't explain any Win8-specific trouble.

I'll post back if I ever find something more conclusive.

P.S. we miss you Dave

[sen...@gmail.com]

WINHTTP_CALLBACK_STATUS_SECURE_FAILURE/WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR can be caused by attempting an https query to an http socket (e.g. https://facebook.com:80). But, this occurs on both Windows 7 and 8, so it doesn't explain any Win8-specific trouble.
>
> I'll post back if I ever find something more conclusive.
>
> P.S. we miss you Dave

Dave, it's been a long dead thread. I'm curious if you have anything new to add to this? I'm in the same boat... just checked and I do use port 443 but still am getting WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR for some https sites when calling WinHttpSendRequest() API. Any follow up would help!