14

I am supporting a Classic ASP application that connects to a payment gateway via HTTPS. Up until recently there have been no issues. A few days ago the latest updates were installed on the server (Windows Server 2003) and caused the site to break. A code snippet is below.

Dim oHttp
Dim strResult
Set oHttp = CreateObject("MSXML2.ServerXMLHTTP")
oHttp.setOption(2) = 13056
oHttp.open "POST", SOAP_ENDPOINT, false
oHttp.setRequestHeader "Content-Type", "application/soap+xml; charset=utf-8"
oHttp.setRequestHeader "SOAPAction", SOAP_NS + "/" & SOAP_FUNCTION
oHttp.send SOAP_REQUEST

Below is a dump of the error object :-

Number: -2147012852 Description: A certificate is required to complete client authentication Message: A certificate is required to complete client authentication

At first I thought it was because the Payment Gateway's SSL certificate was not being authenticated or they needed a client certificate. I tested the URL in a browser on the server and it displayed correctly without errors and confirmed that the Payment Gateway server did not require a client certificate.

I am at a loss. All the research I have done has lead me nowhere. I even tried the following found on Stackoverflow :-

Getting XMLHTTP to work with HTTPS

xmlHttp, XML request,asp

The last one stated that a client certificate is required by XMLHTTP even though the server does not need it and pointed to a KB article on how to install one, but that is outdated and does not work.

Community
  • 1
  • 1
Imraan
  • 657
  • 1
  • 5
  • 10
  • 1
    I'm guessing the gateway's SSL cert is now provided by someone not in your server's trusted root authority list and you need a parameter like curl's `CURLOPT_SSL_VERIFYPEER`. I'll come back if I find anything. – Richard Benson Feb 09 '12 at 17:19
  • The answer to the first question you listed is what I was looking for and should work for you. – Richard Benson Feb 10 '12 at 09:58
  • I'm the sysadmin who's lending a hand with this. The answer to the first question doesn't fix the problem I'm afraid. In fact, that option is already set in the code posted in the question above. Just to add to this, this is happening on at least 3 separate servers, none of which have seen any config changes recently, barring Windows updates that were installed yesterday/today, after the problem started occurring. The last updates before that were in late November. – ThatGraemeGuy Feb 10 '12 at 13:33
  • Using plain HTTP worked, which proves that the code is sound. Something on the server is stopping XMLHTTP from accessing any URL using HTTPS. – Imraan Feb 13 '12 at 15:02

5 Answers5

8

Try adding oHttp.setOption 2, 13056

Control Freak
  • 12,965
  • 30
  • 94
  • 145
  • 1
    Tried that syntax but still no luck – Imraan Feb 13 '12 at 14:42
  • 1
    We have a legacy ASP app using MSXML that was just transferred to a different ISP, and started getting `Error -2147012851: The certificate authority is invalid or incorrect` when trying to connect over HTTPS. (Connecting over HTTP works just fine.) Adding this `.setOption 2, 13056` to our code has "solved" (avoided) the problem, so thank you Zee Tee! – Funka Jul 07 '12 at 00:21
5

Just found the solution to this which has passed testing on:

  • Windows 10 (IIS 10)
  • Windows 2012 R2 (IIS 8.5)

It's a client problem. MSXML2.ServerXMLHTTP does indeed require you to use a client certificate when calling an endpoint secured with SSL (even if the endpoint doesn't require it), as the OP noted.

On the webserver, you need to:

  1. Create a client certificate
  2. Assign permissions to the certificate
  3. Set the certificate on the ServerXMLHTTP object

In detail:

1. Create a client certificate

Use the following PowerShell command to create a new self-signed certificate:

New-SelfSignedCertificate -DnsName "ServerXMLHTTP", "ServerXMLHTTP" -CertStoreLocation "cert:\LocalMachine\My"

Note that the certificate created by this command will only be valid for 1 year.

2. Assign permissions to the certificate

Using MMC, view the certificate store for the computer account: How to: View Certificates with the MMC Snap-in

The certificate created above can be found in Certificates (Local Computer)\Personal\Certificates (the "Issued By" and "Issued To" columns display "ServerXMLHTTP").

Right click the ServerXMLHTTP certificate, select "All Tasks" -> "Manage Private Keys" and the permissions dialog will display.

Add the user that the ASP website app pool is running as. By default it will be running as "ApplicationPoolIdentity", but your setup may be using a specific user account. If the app pool is using ApplicationPoolIdentity, the username to add is "IIS AppPool\APP POOL NAME", e.g. IIS AppPool\DefaultAppPool

The user will be added with "Full Control" which can be deselected. Only "Read" permission seems to be required. Click "OK" to confirm the permissions.

3. Set the certificate on the ServerXMLHTTP object

In your ASP code, set the ServerXMLHTTP object to use the certificate created above. For example calling PayPal for an access token:

Dim strAuthToken: strAuthToken = "<Base64 encoded version of ClientId:Secret>"
Dim oHttp: Set oHttp = Server.CreateObject("MSXML2.ServerXMLHTTP")

With oHttp
    Call .Open("POST", "https://api.sandbox.paypal.com/v1/oauth2/token", False)
    Call .SetOption(3, "LOCAL_MACHINE\My\ServerXMLHTTP")
    Call .SetRequestHeader("Content-Type", "application/x-www-form-urlencoded")
    Call .SetRequestHeader("Authorization", "Basic " & strAuthToken)
    Call .Send("grant_type=client_credentials")
End With

Hopefully this is still of assistance.

bambam
  • 331
  • 3
  • 8
1

I know it is an old question. This issue could be because of unsupported cipher suites. Try adding - TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA - TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA

That means you have to follow this kb: http://support.microsoft.com/kb/948963 This update is also interesting if you are still using windows 2003. Which will allow connecting to site using SHA2 - http://support.microsoft.com/kb/968730

Please note that Windows Server 2003 support is ending July 14, 2015

Sunil
  • 95
  • 8
  • Just noticed that .setOption 2 helped. That was not marked as answer and missed it. In this case you can install the intermediate and root certificates of the payment gateway certificate if they have any missing chain. That can avoid using SetOption 2 – Sunil Feb 23 '15 at 11:38
0

This is probably a ServerFault.com question really, after all if the code is working fine then its not a programmatic problem.

However I would try a couple of things. First try using a the ProgID "MSXML2.ServerXMLHTTP.3.0", in some circumstances MSXML3 will behave differently depending on which ProgID was used to instantiate the component. Also update from other sources like your anti-virus supplier (Sophos had this problem) can break MSXML installs.

Another ProgID to try is "MSXML2.ServerXMLHTTP.6.0" after having installed MSXML6. If the problem is with an update to the MSXML3 core then perhaps the MSXML6 core doesn't have the same problem.

AnthonyWJones
  • 187,081
  • 35
  • 232
  • 306
0

Can you try with oHttp.setOption(3) = "certificate store name/friendlyname of certificate" as below. I hope this will works. 

Dim oHttp                    
Dim strResult 
Set oHttp = CreateObject("MSXML2.ServerXMLHTTP")
oHttp.setOption(2) = 13056
oHttp.setOption(3) = "certificate store name/friendlyname of certificate"
oHttp.open "POST", SOAP_ENDPOINT, false
oHttp.setRequestHeader "Content-Type", "application/soap+xml; charset=utf-8"
oHttp.setRequestHeader "SOAPAction", SOAP_NS + "/" & SOAP_FUNCTION
oHttp.send SOAP_REQUEST
pjumble
  • 16,880
  • 6
  • 43
  • 51
Gaurav
  • 1
  • 2
    option 3 is SXH_OPTION_SELECT_CLIENT_SSL_CERT. As far as I can tell that's to specify a client certificate, when the poster says no client certificate is being used. Why do you think adding that would help ? – Thomas Vander Stichele Sep 05 '12 at 18:38