locked
The Windows Web Services API lacks the capability to ignore SSL Certificate Errors in Windows 8.1 Apps

    Question

  • I have a C++ Windows 8.1 App that consumes a web service using the Windows Web Services API http://msdn.microsoft.com/en-us/library/windows/desktop/dd430470(v=vs.85).aspx.

    It turns out that the following error is generated when trying to ignore SSL certificate errors.

    "The property 'WS_SECURITY_BINDING_PROPERTY_CERT_FAILURES_TO_IGNORE' is not supported in a process running in an AppContainer.s"

    The following code demonstrates how I setup a WS_SECURITY_BINDING_PROPERTY to ignore SSL certificate errors.

    DWORD dwIgnoreCnCertValue =WS_CERT_FAILURE_CN_MISMATCH |WS_CERT_FAILURE_UNTRUSTED_ROOT |WS_CERT_FAILURE_WRONG_USAGE;
    WS_SECURITY_BINDING_PROPERTY
    securityBindingPropertiesArray[1];
    securityBindingPropertiesArray[0].id = WS_SECURITY_BINDING_PROPERTY_CERT_FAILURES_TO_IGNORE;
    securityBindingPropertiesArray[0].valueSize = sizeof(dwIgnoreCnCertValue);
    securityBindingPropertiesArray[0].value = &dwIgnoreCnCertValue;

    My expectation is that I should be able to ignore SSL errors in a Windows 8.1 store app since the capability to ignore SSL errors is possible with the C# class HttpClient.  I looked at possibly using WS_CERTIFICATE_VALIDATION_CALLBACK, but unfortunately the callback function is only supported for desktop apps.  Is there some other way to ignore SSL certificate errors with the Windows Web Services API?

    Thursday, December 19, 2013 4:06 AM

Answers

All replies

  • The error you get seems pretty conclusive. Windows Store apps always run in AppContainers.

    Windows.Web.Http.HttpClient is not a C# or .Net Framework class. It is a Windows Runtime class and can be called from C++. You can use it with an HttpBaseProtocolFilter to ignore SSL errors.

    There is a sample demonstrating using HttpClient in a C++ app: HttpClient sample 

    --Rob

    Thursday, December 19, 2013 4:20 AM
    Moderator
  • Thanks Rob for the reply.  I used wsutil to generate the C proxy classes needed to communicate with a web service.  Using HttpClient would require me to construct the soap message going to the service and deconstruct the soap message on the client.  Shouldn't there be a way to ignore SSL errors for clients using the Windows Web Services API?
    Thursday, December 19, 2013 5:21 AM
  • Any hope that a feature will be added to the Windows Web Services API that will allow a user to ignore SSL certificate errors? It would be nice to ignore SSL cert errors regardless of the technology used.
    Thursday, January 16, 2014 2:04 AM
  • Hi Nick,

    We cannot comment on future functionality, but thank you for the request!

    --Rob

    Thursday, January 16, 2014 2:16 AM
    Moderator