SEC_E_NO_CREDENTIALS with Client Cert request
Jason Viers
initial receiveResponse fails with
ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED, as expected. After setting a
client cert with WinHttpSetOption, the next SendRequest fails with
ERROR_WINHTTP_SECURE_FAILURE.
Also, the registred callback for WINHTTP_CALLBACK_FLAG_SECURE_FAILURE
isn't called. I've verified it's registered properly by performing a
request for a different URL that produces a "hostname mismatch" SSL
error, and the callback is properly executed.
I turned on WinHttpTracing, and this is the excerpt of the log where the
initial receive fails, the certificate is added, and the new request fails:
12:22:09.081 ::*0000001* :: Winsock/RPC/SSL/Transport error: 0x2f0c
[ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED]
12:22:09.081 ::*0000001* :: WinHttpReceiveResponse: error 12044
[ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED]
12:22:09.081 ::*0000001* :: WinHttpReceiveResponse() returning FALSE
12:22:09.081 ::*0000001* :: WinHttpSetOption(0xa10000, (47), 0x14b1c0
[0x1], 20)
12:22:09.081 ::*0000001* :: WinHttpSetOption() returning TRUE
12:22:09.081 ::*0000001* :: WinHttpSendRequest(0xa10000, "", 0, 0x0, 0,
0, 0)
12:22:09.081 ::*0000001* :: Winsock/RPC/SSL/Transport error: 0x8009030e
[SEC_E_NO_CREDENTIALS]
12:22:09.081 ::*0000001* :: WinHttpSendRequest: error 12175
[ERROR_WINHTTP_SECURE_FAILURE]
12:22:09.081 ::*0000001* :: WinHttpSendRequest() returning FALSE
Googling SEC_E_NO_CREDENTIALS shows some people with a similar problem
and no answers. It seems to be "No credentials are available in the
security package", which doesn't make much sense to me.
The certificate I'm assigning shows all the right properties with
CertGetNameString, and the certficate can be loaded in to IE and access
the website in question with no problem. There doesn't appear to be any
problem with the server cert either.
So 2 questions:
1. Why was the secure failure callback not invoked?
2. What can I do to find out more about this error?
Thanks
Jason
Jason Viers
> 12:22:09.081 ::*0000001* :: Winsock/RPC/SSL/Transport error: 0x8009030e
> [SEC_E_NO_CREDENTIALS]
> 12:22:09.081 ::*0000001* :: WinHttpSendRequest: error 12175
> [ERROR_WINHTTP_SECURE_FAILURE]
> 12:22:09.081 ::*0000001* :: WinHttpSendRequest() returning FALSE
I figured out what the problem was; due to an oversight when the
certificate was exported & loaded into the store, the certificate in
question was only the public key, not the public & private.
The secure failure callback should really be invoked for this situation,
either with SEC_E_NO_CREDENTIALS or some new
WINHTTP_CALLBACK_STATUS_FLAG_* value, and get documented with its
explanation on http://msdn2.microsoft.com/en-us/library/aa383917.aspx
Thanks
Jason
Jason Viers
isn't invoked. If you give WinHttp a handle to a certificate that the
current user doesn't have permission to access the private key on,
tracing shows:
15:00:21.506 ::*0000003* :: Winsock/RPC/SSL/Transport error: 0x2f0c
[ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED]
15:00:21.506 ::*0000003* :: WinHttpReceiveResponse: error 12044
[ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED]
15:00:28.147 ::*0000003* :: Winsock/RPC/SSL/Transport error: 0x8009030d
[SEC_E_UNKNOWN_CREDENTIALS]
15:00:28.147 ::*0000003* :: WinHttpSendRequest: error 12175
[ERROR_WINHTTP_SECURE_FAILURE]
As the logs show, there's also a 6.5 second pause while it figures out
that it doesn't have permission to read the private key.
I wonder if all variety of client certificate failures fail to invoke
the secure failure callback. Maybe add a new notification flag for it?
This stuff should really be added in some way. I'd like our software to
be able to report proper errors in a customer's environment, which it
currently can't do.
Thanks
Jason