title | author | description | ms.date | ms.assetid | msc.legacyurl | msc.type |
---|---|---|---|---|---|---|
ARR: Support Added for WINHTTP_OPTION_SECURITY_FLAGS |
rick-anderson |
The ARR update KB 2693489 adds support for WINHTTP_OPTION_SECURITY_FLAGS. Default Behavior: This is the same prior to the updated where ARR will ignore Comm... |
04/13/2012 |
1262324d-f150-4a2f-9b5a-a439de7b718b |
/learn/extensions/configuring-application-request-routing-arr/arr-support-added-for-winhttpoptionsecurityflags |
authoredcontent |
by Harsh Mittal
The ARR update KB 2693489 adds support for WINHTTP_OPTION_SECURITY_FLAGS.
Default Behavior:
This is the same prior to the updated where ARR will ignore Common name mismatches in the SSL communication. With this change ARR implementsSECURITY_FLAG_IGNORE_CERT_CN_INVALID as the default flag.
To change the settings add the following registry key.
-
Click Start, type regedit.exe in the Start Search box, and then press ENTER.
-
Expand the following registry key
[!code-consoleMain]
-
Right-click Parameters, click New, and then click DWORD (32-bit) Value.
-
In the Value name box, type SecureConnectionIgnoreFlags, and then press ENTER.
-
Double-click the SecureConnectionIgnoreFlags registry value and Enter 0.
-
Close Registry Editor.
The key can also be added from the command line with the following command:
[!code-consoleMain]
Setting Additional Options
The default value of 0 is the same as setting the SECURITY_FLAG_IGNORE_CERT_CN_INVALID flag.
To set additional options you can combine the following settings by adding the following values together.
For example to Set both SECURITY_FLAG_IGNORE_CERT_CN_INVALID and SECURITY_FLAG_IGNORE_CERT_DATE_INVALID set the value = 0x00003000.
Value | Description |
---|---|
0x00001000 | SECURITY_FLAG_IGNORE_CERT_CN_INVALID (DEFAULT) |
0x00002000 | SECURITY_FLAG_IGNORE_CERT_DATE_INVALID |
0x00000100 | SECURITY_FLAG_IGNORE_UNKNOWN_CA |
0x00000200 | SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE |
· SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE
Allows the identity of a server to be established with a non-server certificate (for example, a client certificate).
SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE 0x00000200
Reference
WINHTTP_OPTION_SECURITY_FLAGS
https://msdn.microsoft.com/library/windows/desktop/aa384066(v=vs.85).aspx