ARR: Support Added for WINHTTP_OPTION_SECURITY_FLAGS
By Harsh Mittal
April 13, 2012
The ARR update KB 2693489 adds support for WINHTTP_OPTION_SECURITY_FLAGS .
Default Behavior:
This is the same prior to the updated where ARR will ignore Common name mismatches in the SSL communication. With this change ARR implements SECURITY_FLAG_IGNORE_CERT_CN_INVALID as the default flag.
To change the settings add the following registry key.
- Click Start, type regedit.exe in the Start Search box, and then press ENTER.
- Expand the following registry key
HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\IIS Extensions\Application Request Routing\Parameters
- Right-click Parameters, click New, and then click DWORD (32-bit) Value.
- In the Value name box, type SecureConnectionIgnoreFlags , and then press ENTER.
- Double-click the SecureConnectionIgnoreFlags registry value and Enter 0.
- Close Registry Editor.
The key can also be added from the command line with the following command:
reg.exe add "HKLM\SOFTWARE\Microsoft\IIS Extensions\Application Request Routing\Parameters" /v SecureConnectionIgnoreFlags /t REG_DWORD /d 0
Setting Additional Options
The default value of 0 is the same as setting the SECURITY_FLAG_IGNORE_CERT_CN_INVALID flag.
To set additional options you can combine the following settings by adding the following values together.
For example to Set both SECURITY_FLAG_IGNORE_CERT_CN_INVALID and SECURITY_FLAG_IGNORE_CERT_DATE_INVALID set the value = 0x00003000.
|
Value |
Description |
|---|---|
|
0x00001000 |
SECURITY_FLAG_IGNORE_CERT_CN_INVALID (DEFAULT) |
|
0x00002000 |
SECURITY_FLAG_IGNORE_CERT_DATE_INVALID |
|
0x00000100 |
SECURITY_FLAG_IGNORE_UNKNOWN_CA |
|
0x00000200 |
SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE |
· SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE
Allows the identity of a server to be established with a non-server certificate (for example, a client certificate).
SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE 0x00000200
Reference
WINHTTP_OPTION_SECURITY_FLAGS
http://msdn.microsoft.com/en-us/library/windows/desktop/aa384066(v=vs.85).aspx