我似乎遇到了这方面的问题,并且本着一个可以被其他人引用的通用问题的精神,我正在寻找一个使用SSL的好例子。
更具体地说,我从WinHttpSendRequest获取错误0x00002F8F,这是ERROR_INTERNET_DECODING_FAILED(这表明它是一个证书错误)。我已经在这台机器上导入了证书,并且能够在没有证书错误的情况下在IE中提取页面。
TLDR:如何将WinHTTP与自签名证书一起使用?
答案 0 :(得分:8)
对于WinHTTP,为了接受/允许SSL验证失败,您必须首先发出请求并允许它失败,然后禁用安全检查并重试请求句柄上的操作。有点像:
// Certain circumstances dictate that we may need to loop on WinHttpSendRequest
// hence the do/while
do
{
retry = false;
result = NO_ERROR;
// no retry on success, possible retry on failure
if(WinHttpSendRequest(
mHRequest,
WINHTTP_NO_ADDITIONAL_HEADERS,
0,
optionalData,
optionalLength,
totalLength,
NULL
) == FALSE)
{
result = GetLastError();
// (1) If you want to allow SSL certificate errors and continue
// with the connection, you must allow and initial failure and then
// reset the security flags. From: "HOWTO: Handle Invalid Certificate
// Authority Error with WinInet"
// http://support.microsoft.com/default.aspx?scid=kb;EN-US;182888
if(result == ERROR_WINHTTP_SECURE_FAILURE)
{
DWORD dwFlags =
SECURITY_FLAG_IGNORE_UNKNOWN_CA |
SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE |
SECURITY_FLAG_IGNORE_CERT_CN_INVALID |
SECURITY_FLAG_IGNORE_CERT_DATE_INVALID;
if(WinHttpSetOption(
mHRequest,
WINHTTP_OPTION_SECURITY_FLAGS,
&dwFlags,
sizeof(dwFlags)))
{
retry = true;
}
}
// (2) Negotiate authorization handshakes may return this error
// and require multiple attempts
// http://msdn.microsoft.com/en-us/library/windows/desktop/aa383144%28v=vs.85%29.aspx
else if(result == ERROR_WINHTTP_RESEND_REQUEST)
{
retry = true;
}
}
} while(retry);