View Complete Thread
  • How to get SChannel (SSPI) context from ISAPI Filter or ISAPI Extension?

    May 29, 2019 09:27 AM|irium|LINK

    We are implementing an EST protocol, that requires to know "tls-unique" value from SSL connection info. Ideal way would be to implement it via ISAPI Filter of Extension which could read this data and then pass it via HTTP Header or something like that.

    ISAPI Filter's HTTP_FILTER_CONTEXT has function ServerSupportFunction that supports SF_REQ_GET_PROPERTY request. But it returns 0x32 ret code (ERROR_NOT_SUPPORTED) : 

    pfc->ServerSupportFunction(pfc, SF_REQ_GET_PROPERTY, &ctxtHandle, SF_PROPERTY_SSL_CTXT, 0);

    Which is documented at https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525773(v=vs.90).

    Then we tried ISAPI Extension. It also has ServerSupportFunction that supports HSE_REQ_GET_SSPI_INFO request.

    Here https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525978(v=vs.90) it says nothing about it's unsupported. Docs about IIS 10 says that it continues to support unmanaged ISAPI Extensions and Filters.

    So the question is: is there any way to get access to SSL (SSPI) context from ISAPI Filter or Extension? I know IIS provides access to all kinds of certificate related info, but we need something else from SSL connection and IIS sadly just doesn't allow to get it.