ARR: Support Added for WINHTTP_OPTION_SECURITY_FLAGS

By Harsh Mittal

April 13, 2012

The ARR update KB 2693489 adds support for WINHTTP_OPTION_SECURITY_FLAGS .

Default Behavior:

This is the same prior to the updated where ARR will ignore Common name mismatches in the SSL communication. With this change ARR implements SECURITY_FLAG_IGNORE_CERT_CN_INVALID as the default flag.

To change the settings add the following registry key.

  1. Click Start, type regedit.exe in the Start Search box, and then press ENTER.
  2. Expand the following registry key
    HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\IIS Extensions\Application Request Routing\Parameters
  3. Right-click Parameters, click New, and then click DWORD (32-bit) Value.
  4. In the Value name box, type SecureConnectionIgnoreFlags , and then press ENTER.
  5. Double-click the SecureConnectionIgnoreFlags registry value and Enter 0.
  6. Close Registry Editor.

The key can also be added from the command line with the following command:

reg.exe add "HKLM\SOFTWARE\Microsoft\IIS Extensions\Application Request Routing\Parameters" /v SecureConnectionIgnoreFlags /t REG_DWORD /d 0

Setting Additional Options

The default value of 0 is the same as setting the SECURITY_FLAG_IGNORE_CERT_CN_INVALID flag.

To set additional options you can combine the following settings by adding the following values together.

For example to Set both SECURITY_FLAG_IGNORE_CERT_CN_INVALID and SECURITY_FLAG_IGNORE_CERT_DATE_INVALID set the value = 0x00003000.

Value

Description

0x00001000

SECURITY_FLAG_IGNORE_CERT_CN_INVALID (DEFAULT)

0x00002000

SECURITY_FLAG_IGNORE_CERT_DATE_INVALID

0x00000100

SECURITY_FLAG_IGNORE_UNKNOWN_CA

0x00000200

SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE

· SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE

Allows the identity of a server to be established with a non-server certificate (for example, a client certificate).

SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE 0x00000200

Reference

WINHTTP_OPTION_SECURITY_FLAGS

http://msdn.microsoft.com/en-us/library/windows/desktop/aa384066(v=vs.85).aspx