Winhttp.winhttprequest.5.1 certificate error

[PunkoHead]

Hi guys,

I have a problem with Winhttp.winhttprequest.5.1
When I try to POST to a URL (https://example.com) it works just fine, but when I try to POST to the IP (https://1.1.1.1) there is an error message.

My COM error handler says the following:
Description: The host name in the certificate is invalid or does not match
Number: 80020009
Source: WinHttp.WinHttpRequest

It is most certainly a problem on our server, however I am asking if there is a way that we can disable the SSL verification while posting to the IPs instead of the DNS.

The code that I use is:

expandcollapse popup

Func SendXmlPostRequest($url, $auth, $xml) ; Make a POST request to Genesis and get the response.
    Global $oHTTP = ObjCreate('Winhttp.winhttprequest.5.1')
    $oHTTP.Open('POST', $url, False)
    $oHTTP.SetRequestHeader('Authorization', 'Basic' & ' ' & $auth)
    $oHTTP.setRequestHeader('Content-type', 'application/xml')
    $oHTTP.Send($xml)
    $responseText = $oHTTP.ResponseText
    $responseStatus = $oHTTP.Status

    If $responseStatus <> 200 Then ; Check the response code from the server.
        MsgBox(0, 'Message', 'Request failed on subimtion with Response Status:' & ' ' & $responseStatus)
        Exit
    EndIf

    $getCodeArr = _StringBetween($responseText, '<code>', '</code>')
    $getCode = $getCodeArr

    If $getCode <> 0 And $getCode <> 200 Then ; Check the response code from the gateway.
        $getTechicalMessageArr = _StringBetween($responseText, '<technical_message>', '</technical_message>')
        $getTechicalMessage = $getTechicalMessageArr
        MsgBox(0, 'Message', 'Request failed with:' & @CRLF & 'Response Code:' & ' ' & $getCodeArr[0] & @CRLF & 'Technical Message:' & ' ' & $getTechicalMessageArr[0])
        Exit
    EndIf

    If $responseStatus = 200 Then
        $getTransType = _StringBetween($responseText, '<transaction_type>', '</transaction_type>')
        If $getTransType[0] = "capture" Then
            $getCaptureUniqueID = _StringBetween($responseText, '<unique_id>', '</unique_id>')
        ElseIf $getTransType[0] = "void" Then
            $getVoidUniqueID = _StringBetween($responseText, '<unique_id>', '</unique_id>')
        ElseIf $getTransType[0] = "refund" Then
            $getRefundUniqueID = _StringBetween($responseText, '<unique_id>', '</unique_id>')
        ElseIf $getTransType[0] = "credit" Then
            $getCreditUniqueID = _StringBetween($responseText, '<unique_id>', '</unique_id>')
        ElseIf $getTransType[0] = "recurring_sale" Then
            $getRecurringSaleUniqueID = _StringBetween($responseText, '<unique_id>', '</unique_id>')
        Else
            $getUniqueID = _StringBetween($responseText, '<unique_id>', '</unique_id>')
            $uniqueID = $getUniqueID[0]
        EndIf
    EndIf
EndFunc   ;==>SendXmlPostRequest

Thank you in advance for the suggestions!

[TheXman]

@PunkoHead

Here are the constants for the Option property of the WinHttpRequest object:

Global Enum $WinHttpRequestOption_UserAgentString, _
            $WinHttpRequestOption_URL, _
            $WinHttpRequestOption_URLCodePage, _
            $WinHttpRequestOption_EscapePercentInURL, _
            $WinHttpRequestOption_SslErrorIgnoreFlags, _
            $WinHttpRequestOption_SelectCertificate, _
            $WinHttpRequestOption_EnableRedirects, _
            $WinHttpRequestOption_UrlEscapeDisable, _
            $WinHttpRequestOption_UrlEscapeDisableQuery, _
            $WinHttpRequestOption_SecureProtocols, _
            $WinHttpRequestOption_EnableTracing, _
            $WinHttpRequestOption_RevertImpersonationOverSsl, _
            $WinHttpRequestOption_EnableHttpsToHttpRedirects, _
            $WinHttpRequestOption_EnablePassportAuthentication, _
            $WinHttpRequestOption_MaxAutomaticRedirects, _
            $WinHttpRequestOption_MaxResponseHeaderSize, _
            $WinHttpRequestOption_MaxResponseDrainSize, _
            $WinHttpRequestOption_EnableHttp1_1, _
            $WinHttpRequestOption_EnableCertificateRevocationCheck

Here are the valid values for ignoring SSL errors

Global CONST $WinHttpRequestOption_SslErrorIgnoreFlags_UnknownCA       = 0x0100
Global CONST $WinHttpRequestOption_SslErrorIgnoreFlags_CertWrongUsage  = 0x0200
Global CONST $WinHttpRequestOption_SslErrorIgnoreFlags_CertCNInvalid   = 0x1000
Global CONST $WinHttpRequestOption_SslErrorIgnoreFlags_CertDateInvalid = 0x2000
Global CONST $WinHttpRequestOption_SslErrorIgnoreFlags_IgnoreAll       = 0x3300  ;IGNORE ALL OF THE ABOVE

So to ignore all SSL errors, you could add the following line before your send:

$oHTTP.Option($WinHttpRequestOption_SslErrorIgnoreFlags) = $WinHttpRequestOption_SslErrorIgnoreFlags_IgnoreAll

or

$oHTTP.Option(4) = 0x3300

 

Edited October 25, 2018 by TheXman
Added @PunkoHead since he or she isn't following the topic

[PunkoHead]

I did not have the chance to thank you. This solved the issue!

[TheXman]

You're welcome.  Glad to have helped. 

[PunkoHead]

Just a slight update here, once I ignore the certificate alerts, my request is not being sent as application/xml and the server refuses the post request.

I read somewhere that this is because some character conversion and the XML not being sent as UTF-8, but am not sure. Basically, using Winhttp.winhttprequest.5.1, I am not able to send my requests to the server. 

Does anyone have a solution for this? Not sure if I have to open a new thread about this.

Thanks in advance!

[Juvigy]

Try with the IE functions, that might work.

[PunkoHead]

@Juvigy

Can you point me out a bit? What do you mean? I do not want to use the IE.au3 library for this one.

[caramen]

If it's still cetificat issue: 

If the webSite is Safe "?"

Just approve the invalid certificate. And import it to the computer.

 

This is able to be done only if you're automating one PC.

Is it Symantec certif ?

[PunkoHead]

Unfortunately I am not able to import the certificate because I am trying to reach the certificate via IP not a domain.

Also, many people will use it

[TheXman]

6 hours ago, PunkoHead said:

my request is not being sent as application/xml

Is this an assumption or are you getting back an error that explicitly states that is the reason your POST is getting rejected?  Can you show the response or any errors that you got back in the response?

To trouble shoot the issue, more information is needed.  Are you sure that the XML is valid?  Can you provide the request requirements?  Does the request require any other information to be sent in the header?  Does the site have a test environment that test requests can be sent? If so, that would help.  Without more information, any attempt to trouble shoot the issue would be pure speculation.

[Juvigy]

5 hours ago, PunkoHead said:

@Juvigy

Can you point me out a bit? What do you mean? I do not want to use the IE.au3 library for this one.

Yes, IE UDF. Why dont you want to use it?

[TheXman]

24 minutes ago, Juvigy said:

Yes, IE UDF. Why dont you want to use it?

@Juvigy

You've piqued my interest.  To the best of my knowledge, you cannot do an HTTP POST of application/xml data using any IE UDF functions.  Just how would you propose to do an HTTP POST of application/xml data using the IE UDF?

[PunkoHead]

Quote

Is this an assumption or are you getting back an error that explicitly states that is the reason your POST is getting rejected?  Can you show the response or any errors that you got back in the response?

This is what I got - it is a response from our server:

<payment_response>
  <status>error</status>
  <code>360</code>
  <message>Missing or invalid content type: should be text/xml!</message>
  <technical_message>Parsing not possible.</technical_message>
</payment_response>

Quote

Are you sure that the XML is valid?

Yes, using Msxml2.XMLHTTP is sending the correct thing.

We have a test environment but it is really strict and I am not able to provide you access to it

As for the information in the headers - only content type and authorization - nothing else.

And just clarification, if I set the header to text/xml - it is the same error.

[TheXman]

The error message says that it is expecting a content-type of text/xml.  Looking at your original post, you specified a content-type of application/xml.  Have you tried changing it to text/xml? 

Sorry. just read the last sentence?    I see that you did try text/html.

Edited October 31, 2018 by TheXman

[TheXman]

When I am testing web services, I use an extension like Rester, in Firefox, to make sure that I have all of the information I need to get a successful response.  I then translate it into code.  Have you tried using some sort of web service tool, other than msxml2.xmlhttp, to validate the request?

Edited October 31, 2018 by TheXman

[TheXman]

You could also try explicitly setting the charset like:

$oHTTP.setRequestHeader('Content-Type', 'text/xml; charset=utf-8')

 

Edited October 31, 2018 by TheXman

[PunkoHead]

This is super strange...

Trying these:

$oHTTP.SetRequestHeader('Content-Type', 'application/xml; charset=utf-8')
$oHTTP.SetRequestHeader('Content-Type', 'text/xml; charset=utf-8')

Did not help.

As for the testing - I am testing with Postman - I get great responses with it. I also tried restlet - it works great as well.

Not sure if I switch to another version of winhttprequest. Can you give me the exact name that I have to put in ObjCreate in order to do so?

[TheXman]

All of my scripts use exactly the same command as your original post:

$oHttp = ObjCreate("winhttp.winhttprequest.5.1")

 

[TheXman]

Postman should be able to show you the raw request and response.  If it doesn't, you could use a protocol sniffer like WireShark to capture the request in order to see exactly how the successful requests look.  Then, you can build the request to look the same.  Something is missing in the AutoIt-generated requests using the winhttprequest object.

Edited October 31, 2018 by TheXman

[TheXman]

Are you going through a proxy?  If so, are host headers required?