Discussion:
SSL client authentication certificate caching
(too old to reply)
Matt Fletcher
2004-09-30 14:13:06 UTC
Permalink
Is it possible to cache SSL client authentication certificates with IE 6 SP1
onwards? I understand that a change was introduced in SP1 which meant that a
client certificate must be supplied for every WinInet request. Is there a
workaround for this behaviour, as it is causing an unnecessary load on our
server - we want to authenticate once per conversation rather than once per
request.

Thanks
Matt Fletcher
Yan-Hong Huang[MSFT]
2004-10-06 02:54:12 UTC
Permalink
Hello Matt,

Sorry for the late response. It seems that your MSDN no spam email address
is not registered correctly yet. So your post are not shown as a managed
one.

Based on my understanding, your question is: Is it possible to re-enable
SSL client certificate caching after applying IE 6 SP1, right?

If that, you can try to contact Microsoft PSS for hotfix 330338
"Additional Prompts for a Client Certificate with Internet Explorer 6
Service Pack 1"
http://support.microsoft.com/?id=330338

You may need to submit a hot fix request for it. The request is free for
you since you are just asking a hotfix.

My suggestion for you is to test the way in that KB article first.
---------------------------------
This problem is a side-effect of a security fix in Internet Explorer 6 SP1.
The hotfix that is described in this article installs a new registry key to
disable the code that is added by the security fix:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
CertCacheNoValidate: REG_DWORD: 1
----------------------------------

If the problem can't be resolved, please feel free to post here and we will
follow up. Thanks very much.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! šC www.microsoft.com/security
Register to Access MSDN Managed Newsgroups!
-http://support.microsoft.com/default.aspx?scid=/servicedesks/msdn/nospam.as
p&SD=msdn

This posting is provided "AS IS" with no warranties, and confers no rights.
Yan-Hong Huang[MSFT]
2004-10-08 01:17:29 UTC
Permalink
Hello Matt,

How is everything going? Have you successfully done it?

If there is any unclear, please feel free to post here. Thanks very much.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! šC www.microsoft.com/security
Register to Access MSDN Managed Newsgroups!
-http://support.microsoft.com/default.aspx?scid=/servicedesks/msdn/nospam.as
p&SD=msdn

This posting is provided "AS IS" with no warranties, and confers no rights.
Matt Fletcher
2004-10-08 15:54:02 UTC
Permalink
Sorry I haven't replied earlier.

We have not yet got or applied the hot fix, but have tested with XP SP2
which includes IE6 SP2. Our problem still occurs in IE6 SP2 - does this mean
that the hot fix has not made it into IE6 SP2, or that we are dealing with a
separate problem?

Just to make it clear - our problem is that client authetication
certificates are requested multiple times during the same SSL session, so
even though our client code passes INTERNET_FLAG_KEEP_CONNECTION to
HttpOpenRequest and caches the InternetOpen and InternetConnect handles. We
see the problem occurring with IE6 SP1 and SP2, and believe that it also
affects some versions of IE5.5 - we are trying to assemble a list of
versions of wininet.dll which are affected.

Regards
Matt Fletcher
Post by Yan-Hong Huang[MSFT]
Hello Matt,
How is everything going? Have you successfully done it?
If there is any unclear, please feel free to post here. Thanks very much.
Best regards,
Yanhong Huang
Microsoft Community Support
Get Secure! šC www.microsoft.com/security
Register to Access MSDN Managed Newsgroups!
-http://support.microsoft.com/default.aspx?scid=/servicedesks/msdn/nospam.
as
Post by Yan-Hong Huang[MSFT]
p&SD=msdn
This posting is provided "AS IS" with no warranties, and confers no rights.
Yan-Hong Huang[MSFT]
2004-10-11 01:38:52 UTC
Permalink
Hi Matt,

It is OK. We are closely monitor the post. So if you replied it, we will be
notified and back to follow up it.

For that hotfix, please refer to the "more information" part in that KB
article. We can see that:
MORE INFORMATION
WARNING: If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using
Registry Editor incorrectly. Use Registry Editor at your own risk.

This problem is a side-effect of a security fix in Internet Explorer 6 SP1.
The hotfix that is described in this article installs a new registry key to
disable the code that is added by the security fix:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
CertCacheNoValidate: REG_DWORD: 1

So I suggest you add this registry key to test first. If it works, then it
should be OK for you. If not, please feel free to post back here to let me
know.

Thanks again for working with us so closely.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! šC www.microsoft.com/security
Register to Access MSDN Managed Newsgroups!
-http://support.microsoft.com/default.aspx?scid=/servicedesks/msdn/nospam.as
p&SD=msdn

This posting is provided "AS IS" with no warranties, and confers no rights.
Yan-Hong Huang[MSFT]
2004-10-13 01:16:27 UTC
Permalink
Hi Matt,

How is everything going? Have you tried the solution in that KB article? If
the problem is still not resolved, please feel free to post here and we
will follow up.

Thanks very much.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! šC www.microsoft.com/security
Register to Access MSDN Managed Newsgroups!
-http://support.microsoft.com/default.aspx?scid=/servicedesks/msdn/nospam.as
p&SD=msdn

This posting is provided "AS IS" with no warranties, and confers no rights.
Loading...