PRB: SQL Server CE Replication or RDA Fails When IIS Uses SHA1 Hashing Algorithm (290208)


The information in this article applies to:

  • Microsoft SQL Server 2000 Windows CE Edition
This article was previously published under Q290208

SYMPTOMS

Microsoft SQL Server 2000 for Windows CE Edition replication or Remote Date Access (RDA) fails when you use a secure Web site where the Microsoft Internet Information Services (IIS) server certificate uses the Secure Hash Algorithm 1 (SHA1) algorithm. The merge process returns the following error message using the Secure Sockets Layer (SSL) site:

28037 SSCE_M_HTTPSENDREQUESTFAILED : HttpSendRequest failed; HRESULT has more detail

CAUSE

The VeriSign Certificate Authority (CA) has changed the hashing algorithm that is used for the new SSL server certificates from Message Digest 5 (MD-5) to SHA1.

Windows CE devices that are running Microsoft Windows CE 3.0, or earlier, do not recognize IIS server certificates that are signed with either the MD4 or RSA/SHA1 signature algorithms.

WORKAROUND

To work around the problem for Pocket PC, install the 128-bit SSL Add-on that is described in the following Microsoft Knowledge Base article:

266695 Cannot Connect to Security-Enhanced Web Pages with Pocket Internet Explorer

HPC Pro and Palm PC (Windows CE 2.1x) do not support the SHA1 hashing algorithm that is used by certificate authorities such as Verisign. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

274999 Windows CE 2.11 Cannot Connect to Security-Enhanced Web Pages

MORE INFORMATION

For a more detailed description of this problem, see the following article in the Microsoft Knowledge Base:

266695 Cannot Connect to Security-Enhanced Web Pages with Pocket Internet Explorer

Steps to Reproduce Behavior

Pocket Internet Explorer

Try to connect Pocket IE on an HPC Pro device to an HTTPS site that uses Verisign.

-or-

SQL Server CE

  1. Set up a SSL site and use Verisign as the Certificate Authority (CA).
  2. Run a SQL Server CE Replication application and attempt a merge by using the SSL site you created in step 1.
RESULT: This error message displays:
28037 SSCE_M_HTTPSENDREQUESTFAILED : HttpSendRequest failed; HRESULT has more detail
The SQL Server CE Books Online topic "Obtaining a Server Certificate" contains this description for the issue:

Windows CE devices running Windows CE 3.0 or earlier do not recognize IIS server certificates signed using either the MD4 or RSA/SHA1 signature algorithms. Windows CE devices reject such certificates with the error ERROR_INTERNET_SECURITY_CHANNEL_ERROR. To be acceptable to a Windows CE device, your IIS server certificate must be signed using either the MD2 or MD5 signature algorithm.

If you want to generate IIS server certificates by using your own standalone certification authority, you must choose the Advanced option when you install Windows 2000 Certificate Services. Then select the MD2 or MD5 signature algorithm for the certificates your certification authority issues.

By default, Windows 2000 certification authorities generate RSA/SHA1 certificates. If your standalone certification authority was installed using the default RSA/SHA1 signature algorithm, you must remove the certification authority, re-install it using the Advanced option, specify the MD2 or MD5 signature algorithm, and issue a new IIS server certificate.

REFERENCES

For additional information, see the "Security Models and Scenarios for SQL Server CE" white paper at:

Security Models and Scenarios for SQL Server CE

SQL Server CE Books Online; topic: "Obtaining a Server Certificate"
Modification Type:MajorLast Reviewed:1/14/2003
Keywords:kbprb KB290208
©2002 Microsoft Corporation. All rights reserved.