Discussion:
Disabling Certificate Validation
(too old to reply)
j***@gmail.com
2007-03-21 17:38:01 UTC
Permalink
I've asked this here before, and I've asked on the Microsoft forums
and gotten no answer, but I'll try again. WinHttp 5.1 ignores calls to
WinHttpSetOption() with the SECURITY_FLAG_IGNORE_UNKNOWN_CA and
SECURITY_FLAG_IGNORE_CERT_CN_INVALID flags. Because of this one cannot
send requests to an HTTPS server with a self-signed certificate, nor
can one use a self-signed client certificate. This is very, very
annoying during development because it's not always feasible to have a
third party sign your certs. This is a deal-killer for a good number
of legitimate uses, like sending requests to a test or development web
server that isn't going to have a signed server cert and/or whose host
and domain name doesn't match the CN on its certificate.

Disabling these checks worked gloriously under WinHttp 5.0, but 5.0 is
dead. It is inconceivable that I am the only person to face this
problem. Can anyone give me any information about how to get around
this?
Marcin Domaslawski
2007-03-22 08:26:24 UTC
Permalink
Hi,

Actually I'm working with old IIS with self-signed certificate and WinHttp
5.1 but it works good.

I use

DWORD dwOptions =
SECURITY_FLAG_IGNORE_CERT_CN_INVALID
| SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
| SECURITY_FLAG_IGNORE_UNKNOWN_CA
| SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE;

(...)
dwRetVal = WinHttpSetOption( m_hRequest, WINHTTP_OPTION_SECURITY_FLAGS,
&dwOptions, sizeof (DWORD) );
(...)


Do you get an error code ? When do you get error that your server's
certificate is incorrect ?

Marcin Domaslawski
Post by j***@gmail.com
I've asked this here before, and I've asked on the Microsoft forums
and gotten no answer, but I'll try again. WinHttp 5.1 ignores calls to
WinHttpSetOption() with the SECURITY_FLAG_IGNORE_UNKNOWN_CA and
SECURITY_FLAG_IGNORE_CERT_CN_INVALID flags. Because of this one cannot
send requests to an HTTPS server with a self-signed certificate, nor
can one use a self-signed client certificate. This is very, very
annoying during development because it's not always feasible to have a
third party sign your certs. This is a deal-killer for a good number
of legitimate uses, like sending requests to a test or development web
server that isn't going to have a signed server cert and/or whose host
and domain name doesn't match the CN on its certificate.
Disabling these checks worked gloriously under WinHttp 5.0, but 5.0 is
dead. It is inconceivable that I am the only person to face this
problem. Can anyone give me any information about how to get around
this?
j***@gmail.com
2007-03-22 13:47:19 UTC
Permalink
I've since realized that there isn't a problem with using self-signed
client certificates, but only with talking to a server with a cert
that doesn't pass the muster. Note that I'm writing a web client here,
not a server application.

I don't get any errors until I call WinHttpSendRequest(), which will
give me an ERROR_WINHTTP_SECURE_FAILURE and what's more, will not hit
the callback function that I've registered for security-related
issues. It just fails and annoys me.
v***@gmail.com
2013-01-23 18:36:19 UTC
Permalink
Post by j***@gmail.com
I've since realized that there isn't a problem with using self-signed
client certificates, but only with talking to a server with a cert
that doesn't pass the muster. Note that I'm writing a web client here,
not a server application.
I don't get any errors until I call WinHttpSendRequest(), which will
give me an ERROR_WINHTTP_SECURE_FAILURE and what's more, will not hit
the callback function that I've registered for security-related
issues. It just fails and annoys me.
Hi,

I'm having exactly the same problem. Did you find a resolution?

Loading...