ARR: Support Added for WINHTTP_OPTION_SECURITY_FLAGS

by Harsh Mittal

The ARR update KB 2693489 adds support for WINHTTP_OPTION_SECURITY_FLAGS.

Default Behavior:

This is the same prior to the updated where ARR will ignore Common name mismatches in the SSL communication. With this change ARR implementsSECURITY_FLAG_IGNORE_CERT_CN_INVALID as the default flag.

To change the settings add the following registry key.

  1. Click Start, type regedit.exe in the Start Search box, and then press ENTER.

  2. Expand the following registry key

    HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\IIS Extensions\Application Request Routing\Parameters
    
  3. Right-click Parameters, click New, and then click DWORD (32-bit) Value.

  4. In the Value name box, type SecureConnectionIgnoreFlags, and then press ENTER.

  5. Double-click the SecureConnectionIgnoreFlags registry value and Enter 0.

  6. Close Registry Editor.

The key can also be added from the command line with the following command:

reg.exe add "HKLM\SOFTWARE\Microsoft\IIS Extensions\Application Request Routing\Parameters" /v SecureConnectionIgnoreFlags /t REG_DWORD /d 0

Setting Additional Options

The default value of 0 is the same as setting the SECURITY_FLAG_IGNORE_CERT_CN_INVALID flag.

To set additional options you can combine the following settings by adding the following values together.

For example to Set both SECURITY_FLAG_IGNORE_CERT_CN_INVALID and SECURITY_FLAG_IGNORE_CERT_DATE_INVALID set the value = 0x00003000.

Value Description
0x00001000 SECURITY_FLAG_IGNORE_CERT_CN_INVALID (DEFAULT)
0x00002000 SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
0x00000100 SECURITY_FLAG_IGNORE_UNKNOWN_CA
0x00000200 SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE

ยท SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE

Allows the identity of a server to be established with a non-server certificate (for example, a client certificate).

SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE 0x00000200

Reference

WINHTTP_OPTION_SECURITY_FLAGS

https://msdn.microsoft.com/library/windows/desktop/aa384066(v=vs.85).aspx