Re: Secure POP3 session using Schannel.
- From: "Tim Ward" <tw2@xxxxxxxxxxxx>
- Date: Thu, 29 Jun 2006 14:23:22 +0100
"Piotr Trojanowski" <PiotrTrojanowski@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
However this call returns an error: SEC_E_UNTRUSTED_ROOT (0x80090325L).
"The server you are connected to is using a security certificate that
not be verified. A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider. Do you want to
continue using this server?". If I select Yes, then the connection is
established and e-mail received.
Yes, those are the same thing. A way round it which works for me is:
(1) Give ISC_REQ_MANUAL_CRED_VALIDATION to the first
(2) Do my own validation of the server certificate, following the
(3) Whilst doing so specify SECURITY_FLAG_IGNORE_CERT_CN_INVALID
in the call to CertVerifyCertificateChainPolicy.
(4) Do my own check that the root certificate sent by the server matches the
copy of the private root certificate that I have embedded in my application
(of course if you don't care you don't need to do this).
Er, all of which is hundreds of lines of code, and I still haven't got my
head round the error checking or exactly which resources to free how and
when. Fun, this stuff, isn't it.
Brett Ward Limited - www.brettward.co.uk
- Prev by Date: Re: LsaLogonUser and kerberos
- Next by Date: InitializeSecurityContext returns SEC_E_UNSUPPORTED_FUNCTION on XP??
- Previous by thread: Disconnecting from RDP session
- Next by thread: Re: Secure POP3 session using Schannel.