0x80090325 error when using cert with no AIA extenstion

From: Patrick Tronnier (PatrickTronnier_at_discussions.microsoft.com)
Date: 04/13/05


Date: Wed, 13 Apr 2005 09:43:08 -0700

Greetings,

Problem:
I receive a 0x80090325 error "The certificate chain was issued by an
authority that is not trusted." when I attempt to connect to a site using a
client certificate which does not have an Authority Information Access (AIA)
extension. I assume the chain can not be build because my code does not know
where to download the missing CA cert from.

Scenario:
The site is https://sandboxsmd.iso-ne.com/

Server: Server: Stronghold/3.0 Apache/1.3.22 RedHat/3021c (Unix)
mod_ssl/2.8.7 OpenSSL/0.9.6b mod_perl/1.25\r\n

Client: Window2000 sp4

Note: Both client and server root certs are installed!! Also, the problem
goes away if the client Intermediate CA cert is installed in the
LocalMachine\CA cert store.

Here are the cert chains:

Server: sandboxsmd.iso-ne.com > issued by> Equifax Secure Certificate
Authority

Client: Leonard Jaques (50702) > issued by> ISO New England CA 1> > issued
by> Equifax Secure eBusiness CA-1

Question:
Is there sample code (preferably C++) which shows how to build a cert chain
using files on a network share when the AIA extension is missing in a cert?
If no sample code, can someone review my code and possibly let me know a
better way to do this?

Additional Info:
Here is a winhttptracecfg log. (as I mentioned, when both client and server
root certs are installed I still have problem. If client Intermediate CA cert
is installed into the LocalMachine\CA store the problem goes away).

Thank you very much in advance for any assistance.

PS: Issue also cross posted in winhttp newsgroup.

14:29:00.175 ::*Session* :: >>>> WinHttp Version 5.1 Build 5.1.2600 Dec 9
2003 01:37:31>>>>Process SHttpRequest.exe [3836 (0xefc)] started at
14:29:00.175 03/24/2005
14:30:01.878 ::*Session* ::
WinHttpCrackUrl("https://sandboxsmd.iso-ne.com/mkt/private/XmlRequest", 0x34,
0x0, 0x12f5b0)
14:30:01.878 ::*Session* ::
WinHttpCrackUrlA("https://sandboxsmd.iso-ne.com/mkt/private/XmlRequest",
0x34, 0x0, 0x12f3dc)
14:30:01.878 ::*Session* :: WinHttpCrackUrlA() returning TRUE
14:30:01.878 ::*Session* :: WinHttpCrackUrl() returning TRUE
14:30:01.878 ::*Session* :: WinHttpOpen("OATI WinHTTP Interface", (0), "",
"", 0x0)
14:30:01.894 ::*Session* :: WinHttpOpen() returning handle 0xec4000
14:30:01.894 ::*Session* :: WinHttpConnect(0xec4000,
"sandboxsmd.iso-ne.com", 443, 0x0)
14:30:01.894 ::*Session* :: WinHttpConnect() returning handle 0xec8000
14:30:01.894 ::*Session* :: WinHttpOpenRequest(0xec8000, "POST",
"/mkt/private/XmlRequest", "", "", 0x0, 0x00800000)
14:30:02.003 ::*Session* :: WinHttpCreateUrlA(0x12f204, 0x0, 0x18d0000,
0x12f240)
14:30:02.003 ::*Session* :: WinHttpCreateUrlA() returning TRUE
14:30:02.003 ::*0000001* :: WinHttpOpenRequest() returning handle 0xec9000
14:30:02.003 ::*0000001* :: WinHttpSetOption(0xec9000, (6), 0x12f578
[0x36ee80], 4)
14:30:02.003 ::*0000001* :: WinHttpSetOption() returning TRUE
14:30:02.019 ::*0000001* :: WinHttpSetOption(0xec9000, (3), 0x12f620
[0xea60], 4)
14:30:02.019 ::*0000001* :: WinHttpSetOption() returning TRUE
14:30:02.269 ::*0000001* :: WinHttpSetOption(0xec9000, (47), 0x15fd60
[0x1], 20)
14:30:02.269 ::*0000001* :: WinHttpSetOption() returning TRUE
14:30:02.269 ::*0000001* :: WinHttpSetOption(0xec9000, (79), 0x12f5cc
[0x3100], 4)
14:30:02.269 ::*0000001* :: WinHttpSetOption() returning TRUE
14:30:21.003 ::*Session* :: WinHttpAddRequestHeaders(0xec9000,
"Context-Type: text/*\r\nUser-Agent: Mozilla/4.0 (compatible; OATI)\r\n", -1,
0x20000000)
14:30:21.003 ::*Session* :: WinHttpAddRequestHeaders() returning TRUE
14:30:23.738 ::*0000001* :: WinHttpSendRequest(0xec9000, "", 0, 0xee5058,
125, 125, 0)
14:30:24.097 ::*0000001* :: "sandboxsmd.iso-ne.com" resolved
14:30:24.628 ::*0000001* :: Winsock/RPC/SSL/Transport error: 0x90312
[SEC_I_CONTINUE_NEEDED]
14:30:24.628 ::*0000001* :: sending data:
14:30:24.628 ::*0000001* :: 62 (0x3e) bytes
14:30:24.628 ::*0000001* :: <<<<-------- HTTP stream follows below
----------------------------------------------->>>>
14:30:24.628 ::*0000001* :: ....9...5..BC#`5V;<.Ha. .....F
.*.E.M$.X.b.......d.b.......c..
14:30:24.628 ::*0000001* :: <<<<-------- End
----------------------------------------------->>>>
14:30:24.675 ::*0000001* :: received data:
14:30:24.675 ::*0000001* :: 1024 (0x400) bytes
14:30:24.675 ::*0000001* :: <<<<-------- HTTP stream follows below
----------------------------------------------->>>>
14:30:24.675 ::*0000001* :: ....J...F..BC#_....V...........y.%:.IG9TU-b
a.....G}...Uz.8..s[.^.#.....3+.........!..........0...0..|..........0
..*.H..
.....0N1.0...U....US1.0...U.
14:30:24.675 ::*0000001* :: ..Equifax1-0+..U...$Equifax Secure Certificate
Authority0..
040621160740Z.
050821160740Z0..1.0...U....US1.0...U...
Massachusetts1.0...U....Holyoke1.0...U.
14:30:24.675 ::*0000001* :: ..ISO New England1.0...U....Market
Systems1.0...U....sandboxsmd.iso-ne.com0..0
..*.H..
.........0.........V%....<..F..r.
U...3...qeL...]..o....eB..tc.I.C2u...v...Z..'..[..=......d.V...v(S...2U.B....6
..Lk4Yp.=I\$.F.n..I.k-.Pe.;............0..0...`.H...B.......@0...U...........0...U........._'.....#..ad.F...0:..U...3010/.-.+.)http://crl.geotrust.com/crls/secureca.crl0...U.#..0...H.h.+....G.# .O3....0...U.%..0...+.........+.......0
..*.H..
..................Z..ny...4...j]-D....g[\.J..\6.^.Ekl.e..%......p...52..x...I.{\.|...|Zf..@...).]'32..`|-8..e}...Dw.k:._.*...^.+3...g...)z.....
.........a0_1.0...U....US1.0...U.
14:30:24.675 ::*0000001* :: ..VeriSign, Inc.1705..U....Class 2 Public
Primary Certification Authority..0..1.0...U....US1.0...U.
14:30:24.675 ::*0000001* :: <<<<-------- End
----------------------------------------------->>>>
14:30:24.675 ::*0000001* :: received data:
14:30:24.675 ::*0000001* :: 263 (0x107) bytes
14:30:24.675 ::*0000001* :: <<<<-------- HTTP stream follows below
----------------------------------------------->>>>
14:30:24.675 ::*0000001* ::
14:30:24.675 ::*0000001* :: ..VeriSign, Inc.1<0:..U...3Class 2 Public
Primary Certification Authority - G21:08..U...1(c) 1998 VeriSign, Inc. - For
authorized use only1.0...U....VeriSign Trust Network.U0S1.0...U....US1.0...U.
14:30:24.675 ::*0000001* :: ..Equifax Secure Inc.1&0$..U....Equifax Secure
eBusiness CA-1....
14:30:24.675 ::*0000001* :: <<<<-------- End
----------------------------------------------->>>>
14:30:24.675 ::*0000001* :: sending data:
14:30:24.675 ::*0000001* :: 1069 (0x42d) bytes
14:30:24.675 ::*0000001* :: <<<<-------- HTTP stream follows below
----------------------------------------------->>>>
14:30:24.675 ::*0000001* :: ...............0...0..D........(0
..*.H..
.....0K1.0...U....US1.0...U.
14:30:24.675 ::*0000001* :: ..ISO New England Inc.1.0...U....ISO New England
CA 10..
050131220052Z.
060214220052Z0..1.0...U....US1.0...U.
14:30:24.675 ::*0000001* :: ..Split Rock Energy LLC1.0...U....USER ID -
6000242031.0...U....Leonard Jaques (50702)1&0$..*.H..
.....leonard.jaques@oati.net0..0
..*.H..
.........0.......4..5#..K....9.v1
z..h...T......~...;.a......+..1.g.......'...>.#...
..9.Na:.+....-.?$'.Ny..w......]:...|AAd..dz.R
....xR..R.C........0..0...`.H...B........0...U...........0:..U...3010/.-.+.)http://crl.geotrust.com/crls/isoneca1.crl0...U.#..0...I..tE.......x...My..0
..*.H..
..........
14:30:24.675 ::*0000001* :: e.G.!a..{F..
14:30:24.675 ::*0000001* ::
.hu-XEn..F.!...,6.....*.x4...c.ga....%S.Y...Y.W.D4.....A..Xvx...Q.H.gL.].}.]...T.....Q2z....'........6W.$5.%'..=...........;!h.!..n..<]N0.^
...#?O.s...c.........^....MU......i~..`^......%...!.$s..L&..3.,3.\.W&.Q..[[.D+.?ez.wV..fx....
.../.nE".9%...........x..w....b.....-...y{5b[....O...x...AH...4./Q..\>.....[...*...n:,&...4..9.&.6,....8.5.Z1nJ.....g...H..
14:30:24.675 ::*0000001* ::
.{4....._...^..Q*$?...............(~.:....w....V...)......[..X.?..#....F...
14:30:24.675 ::*0000001* :: <<<<-------- End
----------------------------------------------->>>>
14:30:24.722 ::*0000001* :: received data:
14:30:24.722 ::*0000001* :: 7 (0x7) bytes
14:30:24.722 ::*0000001* :: <<<<-------- HTTP stream follows below
----------------------------------------------->>>>
14:30:24.722 ::*0000001* :: ......0
14:30:24.722 ::*0000001* :: <<<<-------- End
----------------------------------------------->>>>
14:30:24.722 ::*0000001* :: Winsock/RPC/SSL/Transport error: 0x80090325 [?]
14:30:24.722 ::*0000001* :: WinHttpSendRequest: error -2146893019 [0x80090325]
14:30:24.722 ::*0000001* :: WinHttpSendRequest() returning FALSE
14:30:49.300 ::*0000001* :: WinHttpQueryHeaders(0xec9000, (0x16), "<null>",
0x0, 0x12f614 [0], 0x0 [0])
14:30:49.300 ::*0000001* :: WinHttpQueryHeaders() returning FALSE
14:30:49.300 ::*0000001* :: WinHttpQueryHeaders(0xec9000, (0x16), "<null>",
0xee4d18, 0x12f614 [6], 0x0 [0])
14:30:49.300 ::*0000001* :: WinHttpQueryHeaders() returning TRUE
14:30:51.238 ::*0000001* :: WinHttpCloseHandle(0xec9000)
14:30:51.238 ::*0000001* :: WinHttpCloseHandle() returning TRUE
14:30:51.238 ::*Session* :: WinHttpCloseHandle(0xec8000)
14:30:51.238 ::*Session* :: WinHttpCloseHandle() returning TRUE
14:30:51.238 ::*Session* :: WinHttpCloseHandle(0xec4000)
14:30:51.238 ::*Session* :: WinHttpCloseHandle() returning TRUE



Relevant Pages

  • 0x80090325 error when using a client cert path with no AIA extensi
    ... I assume the chain can not be ... build because my code does not know where to download the missing CA cert ... Both client and server root certs are installed!! ... Is there sample code which shows how to build a cert chain ...
    (microsoft.public.platformsdk.security)
  • Re: Enable LDAP over SSL
    ... with the client will provide the whole chain to the client if the server ... The server's cert if often issued by a CA that you don't have ... Joe Kaplan-MS MVP Directory Services Programming ...
    (microsoft.public.windows.server.active_directory)
  • Re: Enable LDAP over SSL
    ... As I understand it, this is a feature of TLS, the successor to SSL that is ... with the client will provide the whole chain to the client if the server has ... needs the root cert in the chain to be a trusted root and it needs the chain ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.active_directory)
  • Re: Schannel CertificateChainValidation failing
    ... It is really helpful to try to get at least a base knowledge of certificates and PKI, especially with regards to all the components in chain verification, if you are going to be working with SSL in any detail. ... If any cert includes AIA extensions, the client may try to retrieve the issuing certificate for that cert via the published AIA location. ...
    (microsoft.public.platformsdk.security)
  • 0x80090325 error when using client cert without AIA in certs
    ... I assume the chain can not be build because my code does not know ... where to download the missing CA cert from. ... Both client and server root certs are installed!! ... Is there sample code which shows how to build a cert chain ...
    (microsoft.public.platformsdk.security)