我似乎对此有疑问,并且本着可以被其他人引用的通用问题的精神,我正在寻找一个使用 SSL 的好例子。
更具体地说,我从 WinHttpSendRequest 收到错误 0x00002F8F,即 ERROR_INTERNET_DECODING_FAILED(这表明它是一个证书错误)。我已经在这台机器上导入了证书,并且能够在 IE 中拉出页面而不会出现证书错误。
TLDR:您如何将 WinHTTP 与自签名证书一起使用?
问问题
14268 次
1 回答
14
对于 WinHTTP,为了接受/允许 SSL 验证失败,您必须首先发出请求并允许它失败,然后禁用安全检查并重试请求句柄上的操作。类似于以下内容:
// Certain circumstances dictate that we may need to loop on WinHttpSendRequest
// hence the do/while
do
{
retry = false;
result = NO_ERROR;
// no retry on success, possible retry on failure
if(WinHttpSendRequest(
mHRequest,
WINHTTP_NO_ADDITIONAL_HEADERS,
0,
optionalData,
optionalLength,
totalLength,
NULL
) == FALSE)
{
result = GetLastError();
// (1) If you want to allow SSL certificate errors and continue
// with the connection, you must allow and initial failure and then
// reset the security flags. From: "HOWTO: Handle Invalid Certificate
// Authority Error with WinInet"
// http://support.microsoft.com/default.aspx?scid=kb;EN-US;182888
if(result == ERROR_WINHTTP_SECURE_FAILURE)
{
DWORD dwFlags =
SECURITY_FLAG_IGNORE_UNKNOWN_CA |
SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE |
SECURITY_FLAG_IGNORE_CERT_CN_INVALID |
SECURITY_FLAG_IGNORE_CERT_DATE_INVALID;
if(WinHttpSetOption(
mHRequest,
WINHTTP_OPTION_SECURITY_FLAGS,
&dwFlags,
sizeof(dwFlags)))
{
retry = true;
}
}
// (2) Negotiate authorization handshakes may return this error
// and require multiple attempts
// http://msdn.microsoft.com/en-us/library/windows/desktop/aa383144%28v=vs.85%29.aspx
else if(result == ERROR_WINHTTP_RESEND_REQUEST)
{
retry = true;
}
}
} while(retry);
于 2013-10-30T20:45:03.490 回答