WinHttp doesn't download from Amazon S3 on WinXP

Question

Recently Amazon has disabled support of SSL for S3 buckets and it seems it causes problems on Win XP SP3. I use this code

hSession = WinHttpOpen(L"MySession",
                    WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
                    WINHTTP_NO_PROXY_NAME,
                    WINHTTP_NO_PROXY_BYPASS, 0);


if (bHTTPS)
{
  DWORD flags = WINHTTP_FLAG_SECURE_PROTOCOL_TLS1;
  WinHttpSetOption(hSession, WINHTTP_OPTION_SECURE_PROTOCOLS, &flags, sizeof(flags));
}

port = bHTTPS ? INTERNET_DEFAULT_HTTPS_PORT : INTERNET_DEFAULT_HTTP_PORT;
hConnect = WinHttpConnect(hSession, srv_w, port, 0);    
hRequest = WinHttpOpenRequest(hConnect, vrb_w, adr_w, NULL, WINHTTP_NO_REFERER, NULL,  WINHTTP_FLAG_REFRESH | (bHTTPS ? WINHTTP_FLAG_SECURE : 0));

if (bHTTPS)
{
  DWORD dwSecFlag = SECURITY_FLAG_IGNORE_CERT_CN_INVALID | 
                        SECURITY_FLAG_IGNORE_CERT_DATE_INVALID | 
                        SECURITY_FLAG_IGNORE_UNKNOWN_CA | 
                        SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE;

  WinHttpSetOption(hRequest, WINHTTP_OPTION_SECURITY_FLAGS, &dwSecFlag, sizeof(dwSecFlag));
}

WinHttpSendRequest(hRequest, hdr_w, (headers != NULL) ? -1 : 0, data, size, size, 0);
WinHttpReceiveResponse(hRequest, NULL);

This works on Win7 and worked a month or so ago on WinXP. But now I get WinHttp error 12152: The server returned an invalid or unrecognized response. I have enabled tracing and log fiel has a different error:

17:47:47.057 ::*0000001* :: WinHttpSendRequest(0x10a0000, "", 0, 0x0, 0, 0, 0)
17:47:47.135 ::*0000001* :: "s3.amazonaws.com" resolved
17:47:47.307 ::*0000001* :: Winsock/RPC/SSL/Transport error: 0x90312 [SEC_I_CONTINUE_NEEDED]

Is there a way to fix this problem without using 3rd party libraries? (browsers, including IE, download files without problems).

Answer 1

I'm having the same issue. I think it may be caused by a problem with the SSL_RSA_WITH_3DES_EDE_SHA cipher that is chosen in WinHTTP on XP. Try this as a test: On the XP machine, add a new DWORD value called "Enabled" to the key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168

This disables that cipher and seems to fix the issue for me. This is not an ideal solution however, and I'm still not sure of the underlying issue. Perhaps a problem with whatever crypto provider Amazon is using?