Wininet SSL with client certificate smart card access for each request

Question

I'm using Wininet library to establish SSL connection with client certificate (stored on the smart card).

The problem is that I see smart card is accessed for each HttpRequest that has been sent.

From Fidler and wireshark, I see that: 1. all requests are HTTP 1.0 instead of HTTP 1.1. 2. Full SSL handshake takes place for each connection 3. I'm not asked to enter pin code for each request (only for the first one) but smart card accessed for each request I send.

Any ideas / leads ? Actually may be the broblem is not about wininet but there should be additional steps to be taken with the certificate store?

Thank you, Zahar

Answer 1

OK, I still didn't understand why wininet ssl connection is HTTP 1.0 instead of HTTP 1.1 (according to MSDN it should be HTTP 1.1.), well in wininet.h it is cleat that HTTP version is 1.0.

Regarding the full handshake: I cannot use INTERNET_FLAG_IGNORE_CERT_CN_INVALID or INTERNET_FLAG_IGNORE_CERT_DATE_INVALID or related certificate ignore flags to ignore any certificate error or certificate validation check. IE wininet code enforce a check and see if you are not using regular IE routine to handle security. If the security check is ignored or disabled, wininet will enforce a new SSL socket for each individual request. Which means requests are not going to be sharing together when security check is disabled. It is a security design to confirm that you really want to ignore/disable certificate check for every single request instead of un-validated SSL session been shared across multiple requests.

Regards, Zahar