HttpSendRequestA doesnt return 12045 every time when the usr is snding rqst to Server

This is a discussion on HttpSendRequestA doesnt return 12045 every time when the usr is snding rqst to Server within the Windows Programming forums, part of the Platform Specific Boards category; In our environment, HTTP server is having the self-signed certificate which is not installed in client machine. We are using ...

  1. #1
    Registered User
    Join Date
    Jun 2013
    Posts
    12

    HttpSendRequestA doesnt return 12045 every time when the usr is snding rqst to Server

    In our environment, HTTP server is having the self-signed certificate which is not installed in client machine. We are using "HttpSendRequestA" function to send HTTPS request from client machine to HTTP server. So we got the below security warning pop up during user authentication in client machine. We proceed with user authentication by pressing “yes” in below pop up window. The same function "HttpSendRequestA" is sending the request to server when the client machine is coming out of sleep/hibernate, or Laptop having WIFI connection reconnected to the server after 1 or 2 hour. In this scenario,, we dint get the below security warning.
    I have few question for the above situations.

    1. Is there any chance for man in middle attack happen here?
    2. Does the untrusted certificate stored in my machine temporally when we accept the below pop-up windows?
    3. How to get the below pop up window when client network is changed?
    4. How to get the below pop up window every time when the user is sending http request to HTTP server?
    5. Do we have any settings in IE to get the below pop up window?

    Appreciate for your help.
    Security warning:
    This page requires a secure connection which includes server authentication.

    The certificate issuer for this site is untrusted or unknown. Do you wish to proceed?

  2. #2
    CSharpener vart's Avatar
    Join Date
    Oct 2006
    Location
    Rishon LeZion, Israel
    Posts
    6,452
    The certificate is used to establish TLS (HTTPS) connection to the server - it is public key distributed by the server and used in the encryption process of messages exchanged between client and server.

    So yes - it is stored on the client. For how long - it depends on client settings. Minimum - for the lifetime of established TCP connection. So when TCP connection is dropped - the CA could be deleted. And retrieved again when new TCP connection is established.
    Maximum - for the validity period of the CA - which could be years.

    If CA is signed by trusted authority - Client could verify the signature of the retrieved CA file using CA file of trusted authority - and be sure that CA is actually matching the Host that distributed it.

    If there is no such signature - it's upto user to decide - if CA file and host user currently communicating are matching and could be trusted. If there is a man in the middle who replaced the host CA file with his own CA file and you accept it - you will be communicating with man in the middle being sure your connection is secured, while it will be the opposite.
    The first 90% of a project takes 90% of the time,
    the last 10% takes the other 90% of the time.

  3. #3
    Registered User
    Join Date
    Jun 2013
    Posts
    12
    Thanks for the information.

    My problem is "Initially i connected to HTTP server by wifi connection using laptop, and then i disconnected to the server. Again connected to the same server using laptop after two hours but i dint get security warning pop up windows. I want to give security warning pop up windows in this situation. How to give the security warning pop up window?

    Where can we find the untrusted certificate stored in client machine? I checked in untrusted certificate store after I accept the security warning but i dint find any info there.

  4. #4
    CSharpener vart's Avatar
    Join Date
    Oct 2006
    Location
    Rishon LeZion, Israel
    Posts
    6,452
    Well, in my IE when I got to "Internet Options/Content" and clicked on "Certificates" I got a tabbed list. What you are looking for is probably on the "Untrusted Publishers" tab.

    In Firefox such list was found at "Tools/Options/Advanced/Encryption" - View Certificates/Servers. With some group called "Unknown".

    If you go to the windows help you will find the instruction for "Manage Revocation Checking Policy". Hopefully you will be able to find a settings that do what you want
    The first 90% of a project takes 90% of the time,
    the last 10% takes the other 90% of the time.

  5. #5
    Registered User
    Join Date
    Jun 2013
    Posts
    12
    Appreciated for your help.. I was looking into "Manage Revocation Checking Policy" but i dint get any info how to set security warning for subsequent https connection.

    One more question:

    I am getting security warning pop up window during intital user authentication. Afterwards successful authentication also, i am sending the https request to server having self signed certificate which is not installed in Client machine. why am i not getting security warning pop up for subsequent https request? Is this expected behaviour? Do we have any document in microsoft windows?

  6. #6
    Registered User Codeplug's Avatar
    Join Date
    Mar 2003
    Posts
    4,630
    Are your re-using the "HINTERNET hInternet"/"HINTERNET hConnect" handles on subsequent requests? If so, I would try re-creating them for every request.

    gg

  7. #7
    Registered User
    Join Date
    Jun 2013
    Posts
    12
    I am recreating handle every time. Still i am not getting the warning message.

    Do you have document (RFC) to prove that we wont get the security warning for subsequent https request?

  8. #8
    Registered User Codeplug's Avatar
    Join Date
    Mar 2003
    Posts
    4,630
    I've never seen WinINet show UI without asking it to. Are these popups from you calling InternetErrorDlg()?

    gg

  9. #9
    Registered User
    Join Date
    Jun 2013
    Posts
    12
    Yes, I am calling the "InternetErrorDlg()" function when "HTTPSendRequestA" function returns 0 (i.e Error). This function "HTTPSendRequestA" returns 0 in first time and subsequent calls it returns 1. Do you have any document(RFC) this scenario is expected one? If not, Do you have any option to fix this issue?

  10. #10
    Registered User
    Join Date
    Jun 2013
    Posts
    12
    I got the security warning pop message for subsequent https connections when i set the flag the "SECURITY_FLAG_IGNORE_REVOCATION" before calling the "HTTPSendRequestA" function. May i know the reason behind this?

  11. #11
    Registered User Codeplug's Avatar
    Join Date
    Mar 2003
    Posts
    4,630
    >> I am calling the "InternetErrorDlg()" function when "HTTPSendRequestA" function returns 0 (i.e Error).
    Typically, GetLastError() is called to see why it failed, which also drives how/if InternetErrorDlg() should be called. For example: How To Handle Invalid Certificate Authority Error with WinInet

    >> Do you have any document(RFC)
    Windows Internet (Windows)
    About WinINet (Windows)
    Using WinINet (Windows)

    >> when i set the flag the "SECURITY_FLAG_IGNORE_REVOCATION"
    Did you set just that bit without messing with any other bits? There is sample code in the first link that shows how to set a security_flag.

    gg

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. r+ in fopen doesnt let me read and write at the same time
    By shiroaisu in forum C Programming
    Replies: 8
    Last Post: 09-04-2011, 08:33 PM
  2. Makes Time() to return the time in microseconds
    By kirill578 in forum C Programming
    Replies: 9
    Last Post: 06-03-2011, 01:04 AM
  3. Server Client return IP Adress
    By bigmen2007 in forum C Programming
    Replies: 12
    Last Post: 04-28-2010, 06:56 AM
  4. doesnt return allocated memory
    By elwad in forum C Programming
    Replies: 3
    Last Post: 09-20-2009, 09:26 AM
  5. pow() doesnt return a double?
    By FloatingPoint in forum C++ Programming
    Replies: 23
    Last Post: 08-04-2003, 11:11 AM

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21