MORE INFORMATION
This error occurs when the client does not know about the certificate
authority that issued the server certificate. The problem may be corrected
by installing the certificate authority's root certificate. A list of all
installed certificates can be viewed from Internet Explorer. From the View
menu, click Internet Options, click the Content tab, and click Authorities.
It is possible to bypass this error in WinInet application without
installing a certificate. There are two methods of handling this error. You
can use code similar to the following.
Method 1. With a UI (a message box similar to Internet Explorer is
generated):
...
Again:
if (!HttpSendRequest (hReq,...))
dwError = GetLastError ();
if (dwError == ERROR_INTERNET_INVALID_CA)
{
// Make sure to check return code from InternetErrorDlg
// user may click either OK or Cancel. In case of Cancel
// request should not be resumbitted.
InternetErrorDlg (GetDesktopWindow(),
hReq,
ERROR_INTERNET_INVALID_CA,
FLAGS_ERROR_UI_FILTER_FOR_ERRORS |
FLAGS_ERROR_UI_FLAGS_GENERATE_DATA |
FLAGS_ERROR_UI_FLAGS_CHANGE_OPTIONS,
NULL);
goto again;
}
...
Method 2. Without a UI:
...
Again:
if (!HttpSendRequest (hReq,...))
dwError = GetLastError ();
if (dwError == ERROR_INTERNET_INVALID_CA)
{
DWORD dwFlags;
DWORD dwBuffLen = sizeof(dwFlags);
InternetQueryOption (hReq, INTERNET_OPTION_SECURITY_FLAGS,
(LPVOID)&dwFlags, &dwBuffLen);
dwFlags |= SECURITY_FLAG_IGNORE_UNKNOWN_CA;
InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS,
&dwFlags, sizeof (dwFlags) );
goto again;
}
...
Similar logic can be used with MFC WinInet classes. In this case, the
following MFC methods correspond to the WinInet APIs used above:
- CInternetFile::SendRequest
- CInternetFile::QueryOption
- CInternetFile::SetOption
- CInternetFile::ErrorDlg
Please note that Visual C++ 5.0 is missing documentation on
CInternetFile::ErrorDlg, CInternetFile::QueryOption, and
CInternetFile::SetOption. See the Inet.cpp MFC source file for information
how to use this method.
NOTE 1: InternetErrorDlg may return following values:
ERROR_SUCCESS
ERROR_CANCELLED
ERROR_INTERNET_FORCE_RETRY.
The request should be resubmitted only when ERROR_INTERNET_FORCE_RETRY is
returned. In Internet Explorer 4.0 and 4.01, however, the request must be
resubmitted even when ERROR_SUCCESS is returned.
Microsoft has confirmed this to be a problem in InternetErrorDlg API.
NOTE 2: SECURITY_FLAG_IGNORE_UNKNOWN_CA is not implemented in Internet
Explorer 3.0 and 3.02.
InternetErrorDlg still works, however, with the following exception. The
dialog box generated by this API does not allow ignore invalid certificate
authority error; it is merely a notification to the user that page cannot
be viewed.
NOTE 3: The option to ignore this error cannot be set before the error
occurs. You must first attempt to send the request, receive the error, then
set the option (or call InternetErrorDlg), and resubmit.