You are currently offline, waiting for your internet to reconnect

How To Handle Invalid Certificate Authority Error with WinInet

Retired KB Content Disclaimer
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.
Summary
If a server SSL certificate is issued by unknown or invalid certificateauthority WinInet HttpSendRequest API or MFC CInternetFile::SendRequestwill fail with error 12045 (ERROR_INTERNET_INVALID_CA).

When Internet Explorer tries to access the same URL, similar error isreported.
More information
This error occurs when the client does not know about the certificateauthority that issued the server certificate. The problem may be correctedby installing the certificate authority's root certificate. A list of allinstalled certificates can be viewed from Internet Explorer. From the Viewmenu, click Internet Options, click the Content tab, and click Authorities.

It is possible to bypass this error in WinInet application withoutinstalling a certificate. There are two methods of handling this error. Youcan use code similar to the following.

Method 1. With a UI (a message box similar to Internet Explorer isgenerated):
   ...   Again:   if (!HttpSendRequest (hReq,...))       dwError = GetLastError ();   if (dwError == ERROR_INTERNET_INVALID_CA)   {       // Make sure to check return code from InternetErrorDlg       // user may click either OK or Cancel. In case of Cancel       // request should not be resumbitted.       InternetErrorDlg (GetDesktopWindow(),                         hReq,                         ERROR_INTERNET_INVALID_CA,                         FLAGS_ERROR_UI_FILTER_FOR_ERRORS |                         FLAGS_ERROR_UI_FLAGS_GENERATE_DATA |                         FLAGS_ERROR_UI_FLAGS_CHANGE_OPTIONS,                         NULL);      goto again;   }   ...				
Method 2. Without a UI:
   ...   Again:   if (!HttpSendRequest (hReq,...))      dwError = GetLastError ();   if (dwError == ERROR_INTERNET_INVALID_CA)   {      DWORD dwFlags;      DWORD dwBuffLen = sizeof(dwFlags);      InternetQueryOption (hReq, INTERNET_OPTION_SECURITY_FLAGS,            (LPVOID)&dwFlags, &dwBuffLen);      dwFlags |= SECURITY_FLAG_IGNORE_UNKNOWN_CA;      InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS,                            &dwFlags, sizeof (dwFlags) );      goto again;   }   ...				
Similar logic can be used with MFC WinInet classes. In this case, thefollowing MFC methods correspond to the WinInet APIs used above:

  • CInternetFile::SendRequest
  • CInternetFile::QueryOption
  • CInternetFile::SetOption
  • CInternetFile::ErrorDlg
Please note that Visual C++ 5.0 is missing documentation onCInternetFile::ErrorDlg, CInternetFile::QueryOption, andCInternetFile::SetOption. See the Inet.cpp MFC source file for informationhow to use this method.

NOTE 1: InternetErrorDlg may return following values:
   ERROR_SUCCESS   ERROR_CANCELLED   ERROR_INTERNET_FORCE_RETRY.				
The request should be resubmitted only when ERROR_INTERNET_FORCE_RETRY isreturned. In Internet Explorer 4.0 and 4.01, however, the request must beresubmitted even when ERROR_SUCCESS is returned.

Microsoft has confirmed this to be a problem in InternetErrorDlg API.NOTE 2: SECURITY_FLAG_IGNORE_UNKNOWN_CA is not implemented in InternetExplorer 3.0 and 3.02.

InternetErrorDlg still works, however, with the following exception. Thedialog box generated by this API does not allow ignore invalid certificateauthority error; it is merely a notification to the user that page cannotbe viewed.

NOTE 3: The option to ignore this error cannot be set before the erroroccurs. You must first attempt to send the request, receive the error, thenset the option (or call InternetErrorDlg), and resubmit.
References
For additional information, please see the following article(s) in theMicrosoft Knowledge Base:
168151How to Make SSL Requests Using WinInet
kbdsi
Properties

Article ID: 182888 - Last Review: 06/22/2014 18:52:00 - Revision: 4.0

  • kberrmsg KB182888
Feedback