Failure posting files to iis6.0 using ssl client authentication

From: hugo (yaronh_at_xor-t.com)
Date: 04/13/05

• Next message: Ken Schaefer: "Re: How to tell if IIS lockdown Tool is installed?"
• Previous message: WenJun Zhang[msft]: "Re: Getting prompted on IIS web"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 13 Apr 2005 03:00:39 -0700

There seems to be a bug when posting a "large" file (30k) to IIS 6.0
when using ssl client authentication.
All other scenarios, server authentication or no ssl at all work fine.
The bug does not occur with IIS 5.0.

Can someone provide a solution?

This is the full description of the bug (the solution is not clear):

//snip from the rc2 iis6.0 help
//=============================
If client certificates are enabled on individual directories or files
instead of the whole Web site, the following issue may arise:

The client sends a long HTTP request (such as POST) to a computer
running a
member of the Windows .NET Server 2003 family with IIS 6.0.
The IIS worker process receives enough data to parse request headers,
but
not the entire request entity body.
The IIS worker process detects that client certificates are required
for a
return of data to the client.
IIS tries to renegotiate the connection with the client.
The client cannot renegotiate because it is waiting to send the
remaining
data in the request to IIS.
The solution is to assure that client is not blocked from sending the
entire
entity body. If client renegotiation is requested, it is necessary to
preload the request entity body using SSL preload. SSL preload will use
the
value of UploadReadAheadSize used for ISAPI extensions. However, if
UploadReadAheadSize is smaller than Content length, then an HTTP Error
413
is returned and the connection is closed to prevent deadlock. (Deadlock

occurs because a client is waiting to complete sending a request
entity,
while the server is waiting for renegotiation to complete, but
renegotiation
requires that the client to be able to send data, which it cannot).
//snip

---

• Next message: Ken Schaefer: "Re: How to tell if IIS lockdown Tool is installed?"
• Previous message: WenJun Zhang[msft]: "Re: Getting prompted on IIS web"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: IIS6.0 + SSL Breaks down! ... Ok, I asked the IIS SSL developer, and he gave me the details. ... bad public specification on SSL make SSL Client Certificates ... (microsoft.public.inetserver.iis) Re: localhost is all that will work ... >I've done with IIS or something else ... >> 400 Bad Request usually means that the client is sending a bad request, ... >> You say that it is working on the local machine. ... (microsoft.public.inetserver.iis) RE: Problems with wsdl-generated proxy clients ... you can also run a debuggeragainst the webservices' IIS process to see whether you can get any exceptions. ... \par We have a web service client app we use internally. ... \par Looking at the IIS logs, I didn't even see the request in the log. ... (microsoft.public.dotnet.framework.webservices) RE: IIS 5.0 : howto disable direct file linking? ... There is no setting in IIS to disable direct file linking. ... requested URL is valid IIS will serve it as long as the client making the ... request has appropriate permissions to view the content. ... (microsoft.public.inetserver.iis.security) Re: localhost is all that will work ... I've done with IIS or something else ... installed IIS 6.0 from Windows installation. ... > 400 Bad Request usually means that the client is sending a bad request, ... (microsoft.public.inetserver.iis)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)