search

Openwsman / openwsman

Openwsman server implementation and client api with bindings
BSD 3-Clause "New" or "Revised" License
112 stars 53 forks source link

Is there any API available in openwsman2.6.11 to set flag "SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE" to ignore invalid certificate errors, similar like wsman_transport_set_verify_peer(cl, 0); and wsman_transport_set_verify_host(cl, 0); #152

Closed puneetsapra1987 closed 1 year ago

puneetsapra1987 commented 3 years ago

Hello,

Need some help on handling "WinHttpSendRequest" ignore invalid certificate errors.

I am using below APIs to ignore invalid certificate errors, set flags INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID and SECURITY_FLAG_IGNORE_UNKNOWN_CA. wsman_transport_set_verify_peer(cl, 0); wsman_transport_set_verify_host(cl, 0);

But I am still getting error for ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED while using openwsman2.6.11. However older openwsman2.2.3.9 works fine and not seeing any issue.

Here is WinHttpSendRequest call from openwsman's wsmc_handler call [Ref: https://github.com/Openwsman/openwsman/blob/master/src/lib/wsman-win-client-transport.c] bResult = WinHttpSendRequest(request, WINHTTP_NO_ADDITIONAL_HEADERS, (DWORD) 0, (LPVOID) buf, (DWORD) errLen, (DWORD) errLen, (DWORD_PTR) NULL);

While adding an additional flag "SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE" along with above mentioned flags, not observing the above said error in making "WinHttpSendRequest" call.

What should I do?

Is there any API/method available from OpenWSman side (openwsman2.6.11) to set flag "SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE" to ignore invalid certificate errors, similar like wsman_transport_set_verify_peer(cl, 0); and wsman_transport_set_verify_host(cl, 0);

Thank you, Puneet

puneetsapra1987 commented 3 years ago

Here is more information on above query:

For checking purpose, I tried with adding an additional flag "SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE" along with other flags to ignore invalid certificate errors (through below APIs) in openwsman's wsmc_handler call at wsman-win-client-transport.c wsman_transport_set_verify_peer(cl, 0); wsman_transport_set_verify_host(cl, 0);

Ref: https://github.com/Openwsman/openwsman/blob/master/src/lib/wsman-win-client-transport.c

Here is a snippet code from openwsman's wsmc_handler call with adding an additional flag (SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE) for checking purpose:

if (0 == cl->authentication.verify_host) { flags = flags | SECURITY_FLAG_IGNORE_CERT_CN_INVALID | SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE; } if (0 == cl->authentication.verify_peer) { flags = flags | SECURITY_FLAG_IGNORE_CERT_DATE_INVALID | SECURITY_FLAG_IGNORE_UNKNOWN_CA; }

Please note that I have added SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE flag for checking purpose.

With adding an additional flag (SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE), I am not observing any error while making "WinHttpSendRequest" call with openwsman2.6.11 DLL.

Without adding an additional flag (SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE), I am getting an error for ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED in making "WinHttpSendRequest" call with openwsman2.6.11 DLL, however the older openwsman2.2.3.9 works fine and not seeing any issue (not required to add any additional above mentioned flag).

Let me know if there is any another way to resolve this issue (ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED) with openwsman2.6.11 DLL.

kkaempf commented 1 year ago

Looks like there's noone with sufficient Windows experience. Closing.