Microsoft KB Archive/831131

= PRB: HSE_REQ_GET_SSPI_INFO Function Cannot Be Used to Retrieve the SSL Cipher Specification =

Article ID: 831131

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Internet Server Application Programming Interface 4.0
 * Microsoft Internet Information Services 6.0
 * Microsoft Internet Information Services 5.0

-





SYMPTOMS
The HSE_REQ_GET_SSPI_INFO function enables ISAPI extensions to retrieve context and credential handles. However, these handles cannot be used to determine what cipher suite is used in the underlying Secure Sockets Layer (SSL) connection.



CAUSE
HSE_REQ_GET_SSPI_INFO returns information about authentication, not information about SSL.



RESOLUTION
To work around this problem, use one of the following methods:  Require client certificates. When a client certificate is used, the CtxtHandle handle from HSE_REQ_GET_SSPI_INFO will contain a valid context. This valid context can be used to access additional information about the underlying connection. Restrict the cryptographic algorithms and protocols that can be used by Internet Information Services (IIS). This restriction allows the extension to make assumptions about the cipher suite that is in use. This restriction may have unwanted side effects, such as preventing clients that do not support the selected cipher properties from connecting. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

245030 How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll





STATUS
This behavior is by design.

