• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1449
  • Last Modified:

WinInet HTTP SDK have problem with dealing untrusted root CA Web Server

Firstly sorry to post non-MFC related question to this area, but it's most related area for WIN32 SDK.

I am have problem with HttpSendRequest when connecting to a secure web server but with unauthorized CA, I have set INTERNET_FLAG_IGNORE_CERT_CN_INVALID and INTERNET_FLAG_IGNORE_CERT_DATE_INVALID flags for HttpOpenRequest but it's giving me the error code 12045, which is ERROR_WINHTTP_SECURE_INVALID_CA, is there anything else I need to do before setting up the connection?

Following are my code fragment for HttpOpenRequest:

   mConnectHandle = ::InternetConnect(mDownloadManager->mSessionHandle,
                                      hostName,
                                      INTERNET_DEFAULT_HTTPS_PORT,
                                      NULL,
                                      NULL,
                                      INTERNET_SERVICE_HTTP,
                                      0,
                                      0);

   mHttpRequestHandle = ::HttpOpenRequest(mConnectHandle,
                                          TEXT("POST"),
                                          path,
                                          TEXT("HTTP/1.1"),
                                          NULL,
                                          (LPCTSTR*)acceptType,
                                          INTERNET_FLAG_DONT_CACHE |  INTERNET_FLAG_SECURE | INTERNET_FLAG_IGNORE_CERT_CN_INVALID | INTERNET_FLAG_IGNORE_CERT_DATE_INVALID,
                                          0) ;

thanks in advance.
0
teltel
Asked:
teltel
  • 2
1 Solution
 
mahesh1402Commented:
Try by setting the SECURITY_FLAG_IGNORE_UNKNOWN_CA  flag....

try this after httpOpenRequest()

 if ( dwError == 12045)
   {
    DWORD dwOption ;
    DWORD dwSize = sizeof(DWORD) ;
    InternetQueryOption (hReq, INTERNET_OPTION_SECURITY_FLAGS ,&dwOption, &dwSize);
    dwOption |= SECURITY_FLAG_IGNORE_UNKNOWN_CA ;
    InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwOption, sizeof (DWORD)) ;
   }


ALSO Refer this :'How To Handle Invalid Certificate Authority Error with WinInet'
http://support.microsoft.com/kb/q182888/ <======

-MAHESH
0
 
puranik_pCommented:
You can try this.

DWORD dwFlags;
BOOL m_SecureTranfer = TRUE;
dwFlags =INTERNET_FLAG_RELOAD |  INTERNET_FLAG_DONT_CACHE |INTERNET_FLAG_KEEP_CONNECTION;

  if (  m_SecureTranfer )
        dwFlags|=INTERNET_FLAG_SECURE;

  if ( method == POST_METHOD ) //Post Data
           ::HttpOpenRequest(mConnectHandle,
                                          TEXT("POST"),
                                          path,
                                          TEXT("HTTP/1.1"),
                                          NULL,
                                          (LPCTSTR*)acceptType,
                                         dwFlags,
                                          0) ;


  else

           ::HttpOpenRequest(mConnectHandle,
                                          NULL,
                                          path,
                                         NULL,
                                          NULL,
                                          (LPCTSTR*)acceptType,
                                         dwFlags,
                                          0) ;



0
 
mahesh1402Commented:
As per discussed here : http://support.microsoft.com/kb/q182888/ you may try using InternetQueryOption() and  InternetSetOption() with SECURITY_FLAG_IGNORE_UNKNOWN_CA as You are saying you are getting error 12045. Above links exactly solves this :

Again:
if (!HttpSendRequest (hReq,...))
      dwError = GetLastError ();
   if (dwError == 12045)
   {
      DWORD dwFlags;
      DWORD dwBuffLen = sizeof(dwFlags);

      InternetQueryOption (hReq, INTERNET_OPTION_SECURITY_FLAGS,
            (LPVOID)&dwFlags, &dwBuffLen);

      dwFlags |= SECURITY_FLAG_IGNORE_UNKNOWN_CA;
      InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS,
                            &dwFlags, sizeof (dwFlags) );
      goto again;
   }

-MAHESH
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now