PRB: HSE_REQ_GET_SSPI_INFO Function Cannot Be Used to Retrieve the SSL Cipher Specification (831131)
The information in this article applies to:
- Microsoft Internet Server Application Programming Interface (API)
- Microsoft Internet Information Services version 6.0
- Microsoft Internet Information Server 5.0
SYMPTOMSThe HSE_REQ_GET_SSPI_INFO function enables ISAPI extensions to retrieve context and credential handles. However, these handles cannot be used to determine what cipher suite is used in the underlying Secure Sockets Layer (SSL) connection.CAUSEHSE_REQ_GET_SSPI_INFO returns information about authentication, not information about SSL.RESOLUTIONTo work around this problem, use one of the following methods: - Require client certificates. When a client certificate is used, the CtxtHandle handle from HSE_REQ_GET_SSPI_INFO will contain a valid context. This valid context can be used to access additional information about the underlying connection.
- Restrict the cryptographic algorithms and protocols that can be used by Internet Information Services (IIS). This restriction allows the extension to make assumptions about the cipher suite that is in use. This restriction may have unwanted side effects, such as preventing clients that do not support the selected cipher properties from connecting.
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
245030
How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll
STATUS
This behavior is by design.REFERENCESFor more information about the HSE_REQ_GET_SSPI_INFO function and about getting protocol and cipher information from a certificate context handle through the SECPKG_ATTR_CONNECTION_INFO attribute, visit the following Microsoft Developer Network Web sites:
| Modification Type: | Major | Last Reviewed: | 11/3/2003 |
|---|
| Keywords: | kbprb KB831131 kbAudDeveloper |
|---|
|