0x80090325 error when using cert with no AIA extenstion
From: Patrick Tronnier (PatrickTronnier_at_discussions.microsoft.com)
Date: 04/13/05
- Next message: Patrick Tronnier: "0x80090325 error when using a client cert path with no AIA extensi"
- Previous message: lelteto: "Re: Office update backup folder?"
- Next in thread: David Cross [MS]: "Re: 0x80090325 error when using cert with no AIA extenstion"
- Reply: David Cross [MS]: "Re: 0x80090325 error when using cert with no AIA extenstion"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 13 Apr 2005 09:43:08 -0700
Greetings,
Problem:
I receive a 0x80090325 error "The certificate chain was issued by an
authority that is not trusted." when I attempt to connect to a site using a
client certificate which does not have an Authority Information Access (AIA)
extension. I assume the chain can not be build because my code does not know
where to download the missing CA cert from.
Scenario:
The site is https://sandboxsmd.iso-ne.com/
Server: Server: Stronghold/3.0 Apache/1.3.22 RedHat/3021c (Unix)
mod_ssl/2.8.7 OpenSSL/0.9.6b mod_perl/1.25\r\n
Client: Window2000 sp4
Note: Both client and server root certs are installed!! Also, the problem
goes away if the client Intermediate CA cert is installed in the
LocalMachine\CA cert store.
Here are the cert chains:
Server: sandboxsmd.iso-ne.com > issued by> Equifax Secure Certificate
Authority
Client: Leonard Jaques (50702) > issued by> ISO New England CA 1> > issued
by> Equifax Secure eBusiness CA-1
Question:
Is there sample code (preferably C++) which shows how to build a cert chain
using files on a network share when the AIA extension is missing in a cert?
If no sample code, can someone review my code and possibly let me know a
better way to do this?
Additional Info:
Here is a winhttptracecfg log. (as I mentioned, when both client and server
root certs are installed I still have problem. If client Intermediate CA cert
is installed into the LocalMachine\CA store the problem goes away).
Thank you very much in advance for any assistance.
PS: Issue also cross posted in winhttp newsgroup.
14:29:00.175 ::*Session* :: >>>> WinHttp Version 5.1 Build 5.1.2600 Dec 9
2003 01:37:31>>>>Process SHttpRequest.exe [3836 (0xefc)] started at
14:29:00.175 03/24/2005
14:30:01.878 ::*Session* ::
WinHttpCrackUrl("https://sandboxsmd.iso-ne.com/mkt/private/XmlRequest", 0x34,
0x0, 0x12f5b0)
14:30:01.878 ::*Session* ::
WinHttpCrackUrlA("https://sandboxsmd.iso-ne.com/mkt/private/XmlRequest",
0x34, 0x0, 0x12f3dc)
14:30:01.878 ::*Session* :: WinHttpCrackUrlA() returning TRUE
14:30:01.878 ::*Session* :: WinHttpCrackUrl() returning TRUE
14:30:01.878 ::*Session* :: WinHttpOpen("OATI WinHTTP Interface", (0), "",
"", 0x0)
14:30:01.894 ::*Session* :: WinHttpOpen() returning handle 0xec4000
14:30:01.894 ::*Session* :: WinHttpConnect(0xec4000,
"sandboxsmd.iso-ne.com", 443, 0x0)
14:30:01.894 ::*Session* :: WinHttpConnect() returning handle 0xec8000
14:30:01.894 ::*Session* :: WinHttpOpenRequest(0xec8000, "POST",
"/mkt/private/XmlRequest", "", "", 0x0, 0x00800000)
14:30:02.003 ::*Session* :: WinHttpCreateUrlA(0x12f204, 0x0, 0x18d0000,
0x12f240)
14:30:02.003 ::*Session* :: WinHttpCreateUrlA() returning TRUE
14:30:02.003 ::*0000001* :: WinHttpOpenRequest() returning handle 0xec9000
14:30:02.003 ::*0000001* :: WinHttpSetOption(0xec9000, (6), 0x12f578
[0x36ee80], 4)
14:30:02.003 ::*0000001* :: WinHttpSetOption() returning TRUE
14:30:02.019 ::*0000001* :: WinHttpSetOption(0xec9000, (3), 0x12f620
[0xea60], 4)
14:30:02.019 ::*0000001* :: WinHttpSetOption() returning TRUE
14:30:02.269 ::*0000001* :: WinHttpSetOption(0xec9000, (47), 0x15fd60
[0x1], 20)
14:30:02.269 ::*0000001* :: WinHttpSetOption() returning TRUE
14:30:02.269 ::*0000001* :: WinHttpSetOption(0xec9000, (79), 0x12f5cc
[0x3100], 4)
14:30:02.269 ::*0000001* :: WinHttpSetOption() returning TRUE
14:30:21.003 ::*Session* :: WinHttpAddRequestHeaders(0xec9000,
"Context-Type: text/*\r\nUser-Agent: Mozilla/4.0 (compatible; OATI)\r\n", -1,
0x20000000)
14:30:21.003 ::*Session* :: WinHttpAddRequestHeaders() returning TRUE
14:30:23.738 ::*0000001* :: WinHttpSendRequest(0xec9000, "", 0, 0xee5058,
125, 125, 0)
14:30:24.097 ::*0000001* :: "sandboxsmd.iso-ne.com" resolved
14:30:24.628 ::*0000001* :: Winsock/RPC/SSL/Transport error: 0x90312
[SEC_I_CONTINUE_NEEDED]
14:30:24.628 ::*0000001* :: sending data:
14:30:24.628 ::*0000001* :: 62 (0x3e) bytes
14:30:24.628 ::*0000001* :: <<<<-------- HTTP stream follows below
----------------------------------------------->>>>
14:30:24.628 ::*0000001* :: ....9...5..BC#`5V;<.Ha. .....F
.*.E.M$.X.b.......d.b.......c..
14:30:24.628 ::*0000001* :: <<<<-------- End
----------------------------------------------->>>>
14:30:24.675 ::*0000001* :: received data:
14:30:24.675 ::*0000001* :: 1024 (0x400) bytes
14:30:24.675 ::*0000001* :: <<<<-------- HTTP stream follows below
----------------------------------------------->>>>
14:30:24.675 ::*0000001* :: ....J...F..BC#_....V...........y.%:.IG9TU-b
a.....G}...Uz.8..s[.^.#.....3+.........!..........0...0..|..........0
..*.H..
.....0N1.0...U....US1.0...U.
14:30:24.675 ::*0000001* :: ..Equifax1-0+..U...$Equifax Secure Certificate
Authority0..
040621160740Z.
050821160740Z0..1.0...U....US1.0...U...
Massachusetts1.0...U....Holyoke1.0...U.
14:30:24.675 ::*0000001* :: ..ISO New England1.0...U....Market
Systems1.0...U....sandboxsmd.iso-ne.com0..0
..*.H..
.........0.........V%....<..F..r.
U...3...qeL...]..o....eB..tc.I.C2u...v...Z..'..[..=......d.V...v(S...2U.B....6
..Lk4Yp.=I\$.F.n..I.k-.Pe.;............0..0...`.H...B.......@0...U...........0...U........._'.....#..ad.F...0:..U...3010/.-.+.)http://crl.geotrust.com/crls/secureca.crl0...U.#..0...H.h.+....G.# .O3....0...U.%..0...+.........+.......0
..*.H..
..................Z..ny...4...j]-D....g[\.J..\6.^.Ekl.e..%......p...52..x...I.{\.|...|Zf..@...).]'32..`|-8..e}...Dw.k:._.*...^.+3...g...)z.....
.........a0_1.0...U....US1.0...U.
14:30:24.675 ::*0000001* :: ..VeriSign, Inc.1705..U....Class 2 Public
Primary Certification Authority..0..1.0...U....US1.0...U.
14:30:24.675 ::*0000001* :: <<<<-------- End
----------------------------------------------->>>>
14:30:24.675 ::*0000001* :: received data:
14:30:24.675 ::*0000001* :: 263 (0x107) bytes
14:30:24.675 ::*0000001* :: <<<<-------- HTTP stream follows below
----------------------------------------------->>>>
14:30:24.675 ::*0000001* ::
14:30:24.675 ::*0000001* :: ..VeriSign, Inc.1<0:..U...3Class 2 Public
Primary Certification Authority - G21:08..U...1(c) 1998 VeriSign, Inc. - For
authorized use only1.0...U....VeriSign Trust Network.U0S1.0...U....US1.0...U.
14:30:24.675 ::*0000001* :: ..Equifax Secure Inc.1&0$..U....Equifax Secure
eBusiness CA-1....
14:30:24.675 ::*0000001* :: <<<<-------- End
----------------------------------------------->>>>
14:30:24.675 ::*0000001* :: sending data:
14:30:24.675 ::*0000001* :: 1069 (0x42d) bytes
14:30:24.675 ::*0000001* :: <<<<-------- HTTP stream follows below
----------------------------------------------->>>>
14:30:24.675 ::*0000001* :: ...............0...0..D........(0
..*.H..
.....0K1.0...U....US1.0...U.
14:30:24.675 ::*0000001* :: ..ISO New England Inc.1.0...U....ISO New England
CA 10..
050131220052Z.
060214220052Z0..1.0...U....US1.0...U.
14:30:24.675 ::*0000001* :: ..Split Rock Energy LLC1.0...U....USER ID -
6000242031.0...U....Leonard Jaques (50702)1&0$..*.H..
.....leonard.jaques@oati.net0..0
..*.H..
.........0.......4..5#..K....9.v1
z..h...T......~...;.a......+..1.g.......'...>.#...
..9.Na:.+....-.?$'.Ny..w......]:...|AAd..dz.R
....xR..R.C........0..0...`.H...B........0...U...........0:..U...3010/.-.+.)http://crl.geotrust.com/crls/isoneca1.crl0...U.#..0...I..tE.......x...My..0
..*.H..
..........
14:30:24.675 ::*0000001* :: e.G.!a..{F..
14:30:24.675 ::*0000001* ::
.hu-XEn..F.!...,6.....*.x4...c.ga....%S.Y...Y.W.D4.....A..Xvx...Q.H.gL.].}.]...T.....Q2z....'........6W.$5.%'..=...........;!h.!..n..<]N0.^
...#?O.s...c.........^....MU......i~..`^......%...!.$s..L&..3.,3.\.W&.Q..[[.D+.?ez.wV..fx....
.../.nE".9%...........x..w....b.....-...y{5b[....O...x...AH...4./Q..\>.....[...*...n:,&...4..9.&.6,....8.5.Z1nJ.....g...H..
14:30:24.675 ::*0000001* ::
.{4....._...^..Q*$?...............(~.:....w....V...)......[..X.?..#....F...
14:30:24.675 ::*0000001* :: <<<<-------- End
----------------------------------------------->>>>
14:30:24.722 ::*0000001* :: received data:
14:30:24.722 ::*0000001* :: 7 (0x7) bytes
14:30:24.722 ::*0000001* :: <<<<-------- HTTP stream follows below
----------------------------------------------->>>>
14:30:24.722 ::*0000001* :: ......0
14:30:24.722 ::*0000001* :: <<<<-------- End
----------------------------------------------->>>>
14:30:24.722 ::*0000001* :: Winsock/RPC/SSL/Transport error: 0x80090325 [?]
14:30:24.722 ::*0000001* :: WinHttpSendRequest: error -2146893019 [0x80090325]
14:30:24.722 ::*0000001* :: WinHttpSendRequest() returning FALSE
14:30:49.300 ::*0000001* :: WinHttpQueryHeaders(0xec9000, (0x16), "<null>",
0x0, 0x12f614 [0], 0x0 [0])
14:30:49.300 ::*0000001* :: WinHttpQueryHeaders() returning FALSE
14:30:49.300 ::*0000001* :: WinHttpQueryHeaders(0xec9000, (0x16), "<null>",
0xee4d18, 0x12f614 [6], 0x0 [0])
14:30:49.300 ::*0000001* :: WinHttpQueryHeaders() returning TRUE
14:30:51.238 ::*0000001* :: WinHttpCloseHandle(0xec9000)
14:30:51.238 ::*0000001* :: WinHttpCloseHandle() returning TRUE
14:30:51.238 ::*Session* :: WinHttpCloseHandle(0xec8000)
14:30:51.238 ::*Session* :: WinHttpCloseHandle() returning TRUE
14:30:51.238 ::*Session* :: WinHttpCloseHandle(0xec4000)
14:30:51.238 ::*Session* :: WinHttpCloseHandle() returning TRUE
- Next message: Patrick Tronnier: "0x80090325 error when using a client cert path with no AIA extensi"
- Previous message: lelteto: "Re: Office update backup folder?"
- Next in thread: David Cross [MS]: "Re: 0x80090325 error when using cert with no AIA extenstion"
- Reply: David Cross [MS]: "Re: 0x80090325 error when using cert with no AIA extenstion"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
