How to get SChannel (SSPI) context from ISAPI Filter or ISAPI Extension?RSS

3 replies

Last post Jun 13, 2019 06:48 AM by Able

  • How to get SChannel (SSPI) context from ISAPI Filter or ISAPI Extension?

    May 29, 2019 09:27 AM|irium|LINK

    We are implementing an EST protocol, that requires to know "tls-unique" value from SSL connection info. Ideal way would be to implement it via ISAPI Filter of Extension which could read this data and then pass it via HTTP Header or something like that.

    ISAPI Filter's HTTP_FILTER_CONTEXT has function ServerSupportFunction that supports SF_REQ_GET_PROPERTY request. But it returns 0x32 ret code (ERROR_NOT_SUPPORTED) : 

    pfc->ServerSupportFunction(pfc, SF_REQ_GET_PROPERTY, &ctxtHandle, SF_PROPERTY_SSL_CTXT, 0);

    Which is documented at https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525773(v=vs.90).

    Then we tried ISAPI Extension. It also has ServerSupportFunction that supports HSE_REQ_GET_SSPI_INFO request.

    Here https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525978(v=vs.90) it says nothing about it's unsupported. Docs about IIS 10 says that it continues to support unmanaged ISAPI Extensions and Filters.

    So the question is: is there any way to get access to SSL (SSPI) context from ISAPI Filter or Extension? I know IIS provides access to all kinds of certificate related info, but we need something else from SSL connection and IIS sadly just doesn't allow to get it.

  • Re: How to get SChannel (SSPI) context from ISAPI Filter or ISAPI Extension?

    May 30, 2019 06:47 AM|Able|LINK

    Hi irium,

    According to your description,could you please tell me what information you want from SSL Connection? I think some connection is under protection to prevent any threatening attacks. So you may have no rights to see the connection whatever api you use.

    Best Regards

    Able

    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: How to get SChannel (SSPI) context from ISAPI Filter or ISAPI Extension?

    May 30, 2019 12:48 PM|irium|LINK

    Hi Able,

    We need to get "tls-unique" (https://tools.ietf.org/html/rfc5929) value from SSL connection. It's really accessible via QueryContextAttributes SSPI function: 

    https://docs.microsoft.com/en-us/windows/desktop/api/sspi/nf-sspi-querycontextattributesw

    with SECPKG_ATTR_UNIQUE_BINDINGS attribute defined in "sspi.h". We proved it by creating standalone SSL server app.

    The problem is getting PCtxtHandle (SChannel security context handle) from ISAPI Filter of Extension. It WAS supported, but at some time IIS stopped to provide access to it.

    I don't expect any security concerns, because we at the server side - server endpoint of SSL connection and it should have access to all needed info. As it is now for certificates, cipher used etc.

    Best regards,

    Roman

  • Re: How to get SChannel (SSPI) context from ISAPI Filter or ISAPI Extension?

    Jun 13, 2019 06:48 AM|Able|LINK

    Hi irium,

    According to your description, could you please tell me what notification you  registered?Then you said that It was  supported, but at some time IIS stopped to provide access to it. So could you please share any document about this support?

    Best Regards

    Able

    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.