StdNet Dev
2005-06-28 19:17:10 UTC
Hello. My customers are having a problem upon upgrading to
Windows 2003 SP1. When my web application makes an HTTPS request
using the WinInet API HttpSendRequestEx,
it gets error ERROR_INTERNET_SEC_CERT_REV_FAILED:
Security certificate revocation failed.
It appears that SP1 introduces some changes that, at least under
some circumstances, prevent an application from checking the
revocation status of certificates. It appears that my app is checking
the publisher's revocation status, not the certificate's revocation status,
because this error does not occur with self-signed certificates.
I can get around this by setting the dwFlags parameter to include
SECURITY_FLAG_IGNORE_REVOCATION
but this is unacceptable due to the timeout (about 9 - 16 seconds)
that takes place before HttpSendRequestEx continues.
In other words, this flag causes the revocation failure to be
ignored, rather than preventing the check for revocation in the
first place.
One affected application is an ISAPI app, with W3SVC running as LocalSystem.
We have another application running as a different service and it
has the same problem.
I tried adding code to clear the IE setting
"Check for publisher's certificate revocation" in the registry.
By some sleuthing, I determined that this normally can be done by ORing
the registry value
\\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust
Providers\Software Publishing\State
with 0x200.
However, in this case my attempts to open the registry key failed, probably
because the service is running as LocalSystem.
I'm running out of ideas.
Can anyone suggest a way to avoid this WinInet error?
Preferably a programmatic approach, since this is not a single server
but rather a commercial application that runs on various customer servers.
Thanks.
Mark Riordan
Standard Networks
Windows 2003 SP1. When my web application makes an HTTPS request
using the WinInet API HttpSendRequestEx,
it gets error ERROR_INTERNET_SEC_CERT_REV_FAILED:
Security certificate revocation failed.
It appears that SP1 introduces some changes that, at least under
some circumstances, prevent an application from checking the
revocation status of certificates. It appears that my app is checking
the publisher's revocation status, not the certificate's revocation status,
because this error does not occur with self-signed certificates.
I can get around this by setting the dwFlags parameter to include
SECURITY_FLAG_IGNORE_REVOCATION
but this is unacceptable due to the timeout (about 9 - 16 seconds)
that takes place before HttpSendRequestEx continues.
In other words, this flag causes the revocation failure to be
ignored, rather than preventing the check for revocation in the
first place.
One affected application is an ISAPI app, with W3SVC running as LocalSystem.
We have another application running as a different service and it
has the same problem.
I tried adding code to clear the IE setting
"Check for publisher's certificate revocation" in the registry.
By some sleuthing, I determined that this normally can be done by ORing
the registry value
\\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust
Providers\Software Publishing\State
with 0x200.
However, in this case my attempts to open the registry key failed, probably
because the service is running as LocalSystem.
I'm running out of ideas.
Can anyone suggest a way to avoid this WinInet error?
Preferably a programmatic approach, since this is not a single server
but rather a commercial application that runs on various customer servers.
Thanks.
Mark Riordan
Standard Networks