My CGI application is trying to use SSPI Schannel to create a TLS connection with another server.
http://www.coastrd.com/c-schannel-smtp
The handshake process begins by checking for a certificate in the "MY" certificate store
http://msdn.microsoft.com/en-us/library/aa376560(VS.85).aspx
This function returns zero and GetLastError also returns zero!?
I assume this is a permissions issue.
How do I get this to work without elevating IUSR to administrator for example?
ADDED
Accessing user certificates requires running as the specific user, and accessing the user private key requires either that the user has logged on locally with the password, or that the server is enabled for delegation.
Machine certificates are readable by everyone, but accessing the private key requires admin rights (or local user) unless you adjust the ACL.
ADDED
In this situation, there are no restraints on certificates, but "MY" certificate store is empty and I don't want to buy a certificate just for this.
I am currently using WS2003. The server I am connecting to is gmail.com to send emails using TLS. My code can look for a certificate, but I don't have one. In the reading I have done, it seems like a giant headache to get a certificate, with registration and purchasing and installation, otherwise you just get a temporary solution which is no help. Unless you know of an easy way to get a certificate, this is a lot more trouble than I want to go to just to send email from a CGI app. Is there ANY other way?
I VERY much appreciate your help Joe, but $30/yr x nServers is just not an option. I am wondering if there is a way to hand the task off to another process that IS running with Admin privildeges, like a service perhaps? I could even create an application that is scheduled to read from a given folder and send any emails found there. Other than that, I would have to try elevating the CGI application to Administrator.
ADDED
Goyuix, thank you for the suggestions. The challenge is to provide a stand alone solution without resorting to other libraries like .NET (60MB) or ASP with it's attendant problems.
You are correct, I only need server Authentication. I was not aware it was possible to authenticate one side only. your statement: "Having no client certificate should not stop you from establishing a secure channel for SMTP. You may just need to code around that part of the handshake." turned out to be the solution.
This reminds me of the old plumber joke. The plumber is called to unblock the drain. He takes one look , pulls out a hammer and hits the pipe once. He asks for $180 for 5 mins work itemized as, $30 callout charge and $150 to kown where to hit the pipe.
Thank you both. This has been a LONG uphill slog.
Best Answer
The only reason that the schannel code is trying to crack open the "MY" store is to look for a potential certificate that can be used for client authentication as part of the initial handshake. In your example, I would imagine you really only care about server authentication (e.g. make sure your client is talking to the server it thinks it is). Having no client certificate should not stop you from establishing a secure channel for SMTP. You may just need to code around that part of the handshake.
If you need client authentication as well, then you are probably going to have to either:
As for fixing the linked code... well - I would suggest trying the SmtpClient code that comes with the .NET framework if that is an option. It supports encrypted communications and should, in theory, "just work". Is managed C++ even an option? Or better yet, just write an ASP.NET handler for this?
http://msdn.microsoft.com/en-us/library/system.net.mail.smtpclient_members.aspx
You may also want to try asking some related code questions on StackOverflow.com, people there might be able to help as well.