HttpSendRequest return error : ERROR_INTERNET_SEC_CERT_REV_FAILED in case system time is forward by 1 month
Question
Wednesday, February 3, 2010 5:26 AM
In my application, winInet API - HttpSendRequest return error code(12057, ERROR_INTERNET_SEC_CERT_REV_FAILED,means Revocation of the SSL certificate failed) in case system time on client is set advancing current time for one month. I can encountered the same thing in IE6(but not IE7)
If I append SECURITY_FLAG_IGNORE_REVOCATION to INTERNET_OPTION_SECURITY_FLAGS, this error can be ignored. But why it can not pass the CRL verification? Does it mean the configuration of SSL of server is not correct or something else? Or HttpSendRequest check the system time?
If the system time is set back to current time. HttpSendRequest can be called successfully.
Thanks,
Jun
All replies (7)
Wednesday, February 10, 2010 9:23 AM ✅Answered | 1 vote
Hello Xiajun,
Changing the system time can cause revocation checks to fail. CRLs have a time validity associated with them and the system time is used when verifying the validity of the CRL. If the CRL expires in less than a month from the current time; then advancing the time by a month will lead to a revocation check failure.
If you can collect the CAPI2 logs, this will help identify the cause.
http://technet.microsoft.com/en-us/library/cc749296(WS.10).aspx
Regards,
Rong-Chun Zhang
MSDN Subscriber Support in Forum
If you have any feedback on our support, please contact msdnmg@microsoft.com
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
Wednesday, February 3, 2010 7:16 AM
My code just like this:
...
HINTERNET m_hSession = InternetOpen(wsUserAgent.c_str(),
INTERNET_OPEN_TYPE_PRECONFIG,
NULL,
NULL,
0);
if(NULL == m_hSession)
{
return false;
}
HINTERNET m_hConnect = InternetConnect(m_hSession,
m_wsHostName.c_str(),
m_URL.nPort,
NULL,
NULL,
INTERNET_SERVICE_HTTP,
0,
0);
if(NULL == m_hConnect)
{
return false;
}
HINTERNET m_hRequest = HttpOpenRequest(m_hConnect, L"POST",
m_wsPath.c_str(),
NULL,
NULL,
NULL,
((m_URL.nScheme == INTERNET_SCHEME_HTTPS) ? INTERNET_FLAG_SECURE : 0),
NULL);
if(NULL == m_hRequest)
{
return false;
}
...
BOOL bResults = HttpSendRequest(m_hRequest,
headers.c_str(),
(DWORD)(headers.length()),
data,
(DWORD)bodySize);
Wednesday, February 3, 2010 10:02 AM
Hello Xiajun,
Thanks for your post.
In my point of view, this behavior is by design.
http://support.microsoft.com/kb/2007873
"When the time is modified and the exception is encountered at the winsock layer, this error now needs to travel upwards from winsock to the application layer. For non-SSL connections, this exception is caught directly by the internal connection class, but for SSL requests, this error is handled by the internal SSL/TLS class. "
http://blogs.msdn.com/drnick/archive/2007/03/29/ssl-and-system-time.aspx
Regards,
Rong-Chun Zhang
MSDN Subscriber Support in Forum
If you have any feedback on our support, please contact msdnmg@microsoft.com
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
Wednesday, February 3, 2010 1:34 PM
Hi Rong-Chun Zhang,
Thanks for your information. But I did not use .net lib to get this, instead, I just use win32 API of winInet.dll. I'm not sure if they has the same design. I 'm trying to goolge the official doc/specification about SSL behavior in this case. But it looks like there are few things I could find.
Besids, I found that if I set the system time beyond the "next update date" of Certificate Revocation List(CRL), it will failed.
--
Regards,
Jun
Thursday, February 4, 2010 3:48 AM
What's the expected behavior of HttpSendRequest if system time is set beyond the next update date of CRL, I can not find anything introduce this in API specification or MSDN... The strange thing is, in this case, IE7 can pass the check. If this is by design, IE7 should encountered the same thing, but it didn't....
Thursday, February 4, 2010 11:41 AM
Hello Jun,
I am now discuss this with product team. I will get back to you as soon as possible.
Regards,
Rong-Chun Zhang
MSDN Subscriber Support in Forum
If you have any feedback on our support, please contact msdnmg@microsoft.com
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
Thursday, February 11, 2010 2:36 PM
Hi Rong Chun Zhang,
Really thanks for your information. It's exactly what I want and very helpful for me to understand the machanism of the CRL check.
Best Regards,
Jun