Article ID: 182888 - Last Review: July 1, 2004 - Revision: 2.1

How To Handle Invalid Certificate Authority Error with WinInet

Retired KB ArticleRetired KB Content Disclaimer
View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
This article was previously published under Q182888
Expand all | Collapse all

SUMMARY

If a server SSL certificate is issued by unknown or invalid certificate authority WinInet HttpSendRequest API or MFC CInternetFile::SendRequest will fail with error 12045 (ERROR_INTERNET_INVALID_CA).

When Internet Explorer tries to access the same URL, similar error is reported.
Back to the top

MORE INFORMATION

This error occurs when the client does not know about the certificate authority that issued the server certificate. The problem may be corrected by installing the certificate authority's root certificate. A list of all installed certificates can be viewed from Internet Explorer. From the View menu, click Internet Options, click the Content tab, and click Authorities.

It is possible to bypass this error in WinInet application without installing a certificate. There are two methods of handling this error. You can use code similar to the following.

Method 1. With a UI (a message box similar to Internet Explorer is generated):
   ...
   Again:
   if (!HttpSendRequest (hReq,...))
       dwError = GetLastError ();

   if (dwError == ERROR_INTERNET_INVALID_CA)
   {
       // Make sure to check return code from InternetErrorDlg
       // user may click either OK or Cancel. In case of Cancel
       // request should not be resumbitted.
       InternetErrorDlg (GetDesktopWindow(),
                         hReq,
                         ERROR_INTERNET_INVALID_CA,
                         FLAGS_ERROR_UI_FILTER_FOR_ERRORS |
                         FLAGS_ERROR_UI_FLAGS_GENERATE_DATA |
                         FLAGS_ERROR_UI_FLAGS_CHANGE_OPTIONS,
                         NULL);
      goto again;
   }
   ...
Method 2. Without a UI: 
   ...
   Again:
   if (!HttpSendRequest (hReq,...))
      dwError = GetLastError ();
   if (dwError == ERROR_INTERNET_INVALID_CA)
   {
      DWORD dwFlags;
      DWORD dwBuffLen = sizeof(dwFlags);

      InternetQueryOption (hReq, INTERNET_OPTION_SECURITY_FLAGS,
            (LPVOID)&dwFlags, &dwBuffLen);

      dwFlags |= SECURITY_FLAG_IGNORE_UNKNOWN_CA;
      InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS,
                            &dwFlags, sizeof (dwFlags) );
      goto again;
   }
   ...
Similar logic can be used with MFC WinInet classes. In this case, the following MFC methods correspond to the WinInet APIs used above:

  • CInternetFile::SendRequest
  • CInternetFile::QueryOption
  • CInternetFile::SetOption
  • CInternetFile::ErrorDlg
Please note that Visual C++ 5.0 is missing documentation on CInternetFile::ErrorDlg, CInternetFile::QueryOption, and CInternetFile::SetOption. See the Inet.cpp MFC source file for information how to use this method.

NOTE 1: InternetErrorDlg may return following values: 
   ERROR_SUCCESS
   ERROR_CANCELLED
   ERROR_INTERNET_FORCE_RETRY.
The request should be resubmitted only when ERROR_INTERNET_FORCE_RETRY is returned. In Internet Explorer 4.0 and 4.01, however, the request must be resubmitted even when ERROR_SUCCESS is returned.

Microsoft has confirmed this to be a problem in InternetErrorDlg API. NOTE 2: SECURITY_FLAG_IGNORE_UNKNOWN_CA is not implemented in Internet Explorer 3.0 and 3.02.

InternetErrorDlg still works, however, with the following exception. The dialog box generated by this API does not allow ignore invalid certificate authority error; it is merely a notification to the user that page cannot be viewed.

NOTE 3: The option to ignore this error cannot be set before the error occurs. You must first attempt to send the request, receive the error, then set the option (or call InternetErrorDlg), and resubmit.
Back to the top

REFERENCES

For additional information, please see the following article(s) in the Microsoft Knowledge Base:
168151  (http://support.microsoft.com/kb/168151/EN-US/ ) How to Make SSL Requests Using WinInet
Back to the top
APPLIES TO
  • Microsoft Internet Explorer 4.0 128-Bit Edition
  • Microsoft Internet Explorer 4.01 Service Pack 2
Back to the top
Keywords: 
kberrmsg KB182888
Back to the top
Retired KB ArticleRetired KB Content Disclaimer
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.
Back to the top