IIS 7 and Above
How to get SChannel (SSPI) context from ISAPI Filter or ISAPI Extensi...
Last post Jun 13, 2019 06:48 AM by Able
May 29, 2019 09:27 AM|irium|LINK
We are implementing an EST protocol, that requires to know "tls-unique" value from SSL connection info. Ideal way would be to implement it via ISAPI Filter of Extension which could read this data and then pass it via HTTP Header or something like that.
ISAPI Filter's HTTP_FILTER_CONTEXT has function ServerSupportFunction that supports SF_REQ_GET_PROPERTY request. But it returns 0x32 ret code (ERROR_NOT_SUPPORTED) :
pfc->ServerSupportFunction(pfc, SF_REQ_GET_PROPERTY, &ctxtHandle, SF_PROPERTY_SSL_CTXT, 0);
Which is documented at https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525773(v=vs.90).
Then we tried ISAPI Extension. It also has ServerSupportFunction that supports HSE_REQ_GET_SSPI_INFO request.
https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525978(v=vs.90) it says nothing about it's unsupported. Docs about IIS 10 says that it continues to support unmanaged ISAPI Extensions and Filters.
So the question is: is there any way to get access to SSL (SSPI) context from ISAPI Filter or Extension? I know IIS provides access to all kinds of certificate related info, but we need something else from SSL connection and IIS sadly just doesn't allow
to get it.
May 30, 2019 06:47 AM|Able|LINK
According to your description,could you please tell me what information you want from SSL Connection? I think some connection is under protection to prevent any threatening attacks. So you may have no rights to see the connection whatever api you use.
May 30, 2019 12:48 PM|irium|LINK
We need to get "tls-unique" (https://tools.ietf.org/html/rfc5929) value from SSL connection. It's really accessible via QueryContextAttributes SSPI function:
with SECPKG_ATTR_UNIQUE_BINDINGS attribute defined in "sspi.h". We proved it by creating standalone SSL server app.
The problem is getting PCtxtHandle (SChannel security context handle) from ISAPI Filter of Extension. It WAS supported, but at some time IIS stopped to provide access to it.
I don't expect any security concerns, because we at the server side - server endpoint of SSL connection and it should have access to all needed info. As it is now for certificates, cipher used etc.
Jun 13, 2019 06:48 AM|Able|LINK
According to your description, could you please tell me what notification you registered?Then you said that It was supported, but at some time IIS stopped to provide access to it. So could you please share any document about this support?