Because of RFC 2616 section 8.1.4 (http://www.w3.org/Protocols/rfc2616/rfc2616-sec8.html) we have traditionally limited the number of persistent connections to 2 per server.  This is because of the strong language in this RFC: " A single-user client SHOULD NOT maintain more than 2 connections with any server or proxy."

Practically speaking with today's modern web servers, there is no reason for such a small number of client connections to a server.  This is especially true with the rich WebPages and WebBased applications hosted in WebPages.  Indeed, at times you can get into a situation where you are attempting to download resources for a WebPage and a script is executed to download additional data giving the appearance of a web browser.  The ability to download several resources simultaneously has huge advantages when it comes to downloading resources quickly and gives the ability to provide a more responsive web experience.

While you could always change the number of connections WinInet (and Internet Explorer) used by default, in the past, you could not also control the number of Proxy Connections separately (also covered in RFC 2616).  There is now a setting that will allow you to set the proxy connection limit independent from the number of persistent connections to a server.

Here is a brief Q&A I put together to help you get your head around these settings:

What does setting the max Server and Proxy connections do?  This limits the number of possible connection at one time to a given host either direct or through a proxy.

What happens if I try to make 4 connections and the default number of persistent connections (proxy or server) is set to 2?  Two connections will be made and two will be put in a queue to ‘wait’ for an available connection to be freed.  Once one of the first two connections gets a response, another ‘waiting’ connection will use that available connection in a FIFO manner.

If my app has 2 requests to one host and 2 to another, does that mean only 2 connections at a time will be used total, and there will be two connections waiting?  No, this means that 2 connections per host will be used so in this example there will be no connections waiting.

Why limit the proxy connections in WinInet to begin with?  We always have as a function of limiting the HTTP connections to the end point server.  We did this because the RFC 2616 tells us to:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec8.html  (see 8.1.4 Practical Considerations)

Why add a new limit for the proxy connections?  In the event you need to customize the number of proxy connections.  The default is set to 4 which is enough to satisfy the defaults for WinInet which is 2 for HTTP 1.1 servers and 4 for HTTP 1.0 servers. 

What was it before?  The value did not exist before so it is the same as the server settings.  If the proxy was Http 1.0 it was 4.  If it was http 1.1 it was 2. 

What if I want to have more server connections, should I also set the MaxConnections to proxy to follow this?  No!  The number of proxy connections will automatically follow the MaxConnections for the server, your application should probably do the same.  In most cases (unless your proxy has some other strange requirement) it should be the same as your server connections.  If for some reason you want this different then set the MaxConnectionsPerProxy manually.  If you do not have a reason for this to be different then do not use this setting.

How do I set the MaxConnectionsPerProxy?  Either in Code (see this blog: http://blogs.msdn.com/jpsanders/archive/2009/06/08/understanding-the-new-wininet-option-internet-option-max-conns-per-proxy.aspx) or with this registry setting:

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756  (http://support.microsoft.com/kb/322756/) How to back up and restore the registry in Windows

To change the number of files that you can download through your proxy at one time to 2, follow these steps:

1.     Start Registry Editor.

2.     Locate the following key in the registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

3.     On the Edit menu, point to New, click DWORD Value, and then add the following registry values:
Value name: MaxConnectionsPerProxy
Value data: 2
Base: Decimal

4.     Exit Registry Editor.

This took me a couple of minutes to find so I thought I would share this here.

I downloaded ProcMon (process monitor) and could view the help file.  It would open but the right pane had a message: "Navigation to the webpage was canceled"  The left pane was functional however.

I found the help file.  This is a .CHM file stored in the directory where Procmon was installed.

To be able to use is, Right Click on the procmon.chm file and in the general tab, click on Unblock!

Works fine now!

 Let me know if you found this useful by dropping me a note please!

These options are well documented.  Important notes:

These flags affect the process that you set this option from. 

You do not need to pass an InternetHandle (but no error if you do).

Sample code:

bool abRes = false;
DWORD adOption = INTERNET_SUPPRESS_COOKIE_PERSIST;
abRes= InternetSetOption(hInternet, INTERNET_OPTION_SUPPRESS_BEHAVIOR ,&adOption,sizeof(adOption));
adOption = INTERNET_SUPPRESS_COOKIE_PERSIST_RESET;
abRes= InternetSetOption(hInternet, INTERNET_OPTION_SUPPRESS_BEHAVIOR ,&adOption,sizeof(adOption));

With the release of Internet Explorer 8 comes a new option you can query for with programming with the WinInet APIs: INTERNET_OPTION_SERVER_CERT_CHAIN_CONTEXT.  The MSDN documentation tells you it allows you to get the PCCERT_CHAIN_CONTEXT, and not much more.  It does not show you how to properly get the Context.  I like to see things in action so here is some sample code.

This option is documented here: http://msdn.microsoft.com/en-us/library/aa385328(VS.85).aspx (note that if you are not using the latest SDK headers, the value for this option is also documented here).

To sum it up, use this option to get the Server Certificate Chain Context  to use with other Crypto API functions  To understand this option you can modify the HttpDump example in the Platforms SDK and see how this option can be used.   Since this is an option for the request you get this option using the request handle after you execute the request.  I am not a Crypto API guru so I stole some code examples from MSDN just to dump out some information about the Certificate Chain. 
 
The most important (and undocumented) part of getting this option is to pass a Pointer to a  PCCERT_CHAIN_CONTEXT.  Below is a code snippet that I added to the HttpDump sample in the Windows 7 SDK (RC).

First, there is a problem with that sample when compiled for unicode.  I fixed it with this replacement code:

C++ code listing for sample (Copy Code):

Next I added this code just before closing the request handle ( 'if (!InternetCloseHandle (hReq) )' ).

C++ code listing for sample (Copy Code):

The above code simply illustrates getting the CertContext.  I will leave the actual implementation and usage of this context to all of you Crypto API types!  Please drop me a message if you found this blog useful!

With the release of Internet Explorer 8 comes a new option for WinInet programming: INTERNET_OPTION_SUPPRESS_SERVER_AUTH.  The MSDN documentation is very specific and describes how the option affects authorization, but I like to see things in action!  How about some sample code for INTERNET_OPTION_SUPPRESS_SERVER_AUTH?

This option is documented here: http://msdn.microsoft.com/en-us/library/aa385328(VS.85).aspx (note that if you are not using the latest SDK headers, the value for this option is also documented here).

To sum it up, use this option so your WinInet application will allow you to use credentials to authorize through a proxy, but don't pass credentials to the endpoint server.

To understand this option you can modify the HttpAuth example in the Platforms SDK and see how this option can be used to create a sample.  Then you can use Fiddler (http://www.fiddlertool.com) to request proxy credentials and verify that you cannot pass credentials to an endpoint server.

Since this is an option for the request you set this on the request handle just before you execute the request:

InternetSetOption(hRequest,INTERNET_OPTION_SUPPRESS_SERVER_AUTH,NULL,0);

// Send request.
fRet = HttpSendRequest( hRequest, // request handle
"", // header string
0, // header length
NULL, // post data
0 // post length
);

Next configure Fiddler to require proxy authentication by selecting the menu item 'Rules' and check the 'Require Proxy Authentication' option.  If you look at the help documentation on this feature you will discover the password and user id is '1' for this setting.

Finally run the HttpAuth sample and see that it will prompt you for the Proxy authorization, and once you enter these credentials you cannot send credentials to the end point server.  Even if you use the custom UI and use InternetSetOption to set the username and password, WinInet will not send these credentials.

 Note that in the documentation for this option, it suggests you use the INTERNET_OPTION_NO_COOKIES option as well to prevent Cookie based Authentication to the end point server.

Let me know if this was useful to you!

WinhttpTracecfg.exe for Vista does not exist, so how can you get a WinHttp trace in Vista and above?

WinHttpTraceCfg.exe has been replaced in Vista and above with the netsh winhttp command.
see this blog:
http://blogs.msdn.com/wndp/archive/2007/03/21/winhttp-configuration-for-windows-vista.aspx

A typical command to enable full tracing for WinHttp would look like this:

C:\Windows\system32>netsh winhttp set tracing trace-file-prefix="C:\Temp\WinHttpLog" level=verbose format=hex state=enabled

You would reproduce the issue and then turn off tracing like this:

C:\Windows\system32>netsh winhttp set tracing state=disabled

 This would leave the other parameters you set previously to remain so the next time you want to enable tracing simply type:

C:\Windows\system32>netsh winhttp set tracing state=enabled

Other parameters are available:

C:\Windows\system32>netsh winhttp set tracing

will show you the options:

Usage:  set tracing
        [output=]file|debugger|both
        [trace-file-prefix=]<string>
        [level=]default|verbose
        [format=]ansi|hex
        [max-trace-file-size=]<number>
        [state=]enabled|disabled

Parameters:

  Tag                   Value
  trace-file-prefix   - Prefix for the log file (can include a path)
                        specify "*" to delete an existing prefix
  output              - Where the trace entries are written/displayed to
  level               - How much information to log
  format              - Display format of network traffic (hex or ansi)
  max-trace-file-size - Maximum size of the trace file (in bytes)
  state               - Enables or disables winhttp tracing

Examples:

  set tracing trace-file-prefix="C:\Temp\Test3" level=verbose format=hex
  set tracing output=debugger max-trace-file-size=512000 state=enabled

You can display the existing settings with this command:

C:\Windows\system32>netsh winhttp show tracing

Current WinHTTP Tracing settings:

    Tracing is not enabled.

    Trace File Prefix: C:\Temp\Test3
    Trace Output: file
    Trace Level:  verbose (headers, APIs, and entity body)
    Network Traffic Format: hex
    Maximum size of trace file (in bytes): 65535

Let me know if this helps!

To understand these settings you need to understand how the HttpWebRequest class relates to the ServicePointManager and ServicePoint classes.  When you make a request with the HttpWebRequest class, the ServicePointManager provides a ServicePoint object to the HttpWebRequest object to handle the connection to a web resource (web server).  This ServicePoint object manages all the requests for a particular URI Host and protocol.  For example:  There will be one ServicePoint object for all the requests in my sample because they are all going to the server JSAN1 and using the HTTP protocol.  The ServicePoint object has some settings to control how it services the requests.  You can set the default values for these settings on the ServicePointManager before any ServicePoint objects are created.  Once the ServicePoint object is created these default values will not affect existing ServicePoint objects, only newly created ones.

The ServicePoint model allows optimization, control and performance enhancements for the request.  When you make an HTTP protocol request, ultimately that request and response will take place over a TCP Socket.  Creating and initializing this TCP Socket is a very expensive operation in terms of computer resources and time so if you can re-use this connection for the next request, you have saved the time of creating and initializing a new socket.  The HTTP 1.1 protocol provisions for this optimization by keeping the socket connection alive for subsequent requests by the client to the server. 
Reference - How ServicePointManager works: http://msdn.microsoft.com/en-us/library/system.net.servicepointmanager.aspx (see remarks)
Reference - ServicePoint: http://msdn.microsoft.com/en-us/library/system.net.servicepoint.aspx

The ServicePoint object contains a queue of connections to the server identified by the URI of the server passed in.  By default the number of simultaneous connections to a server is controlled by the ServicePoint.ConnectionLimit property.  This property is set on this object when the ServicePointManager creates the ServicePoint object for your connections to a host.  Connections to the server are queued and will be served by the connections to the server as they become freed from use.  The default number of connections is set to 2.  Ref: http://msdn.microsoft.com/en-us/library/system.net.servicepoint.connectionlimit.aspx

Obviously if the number of connections your application has requested to a resource is greater than the connection limit, requests are queued and may timeout before they are taken from the queue and processed on an active connection.  An example may help you understand this.  This example creates 64 Worker threads and executes HTTP requests on them.  Create a simple HTTP page on a server in your network (not on the same machine you run this code on) and run this code, passing the URI to the page on the command line.  You will see some timeout exceptions generated:

Complete code listing for sample (Copy Code):

Please read the comments in the code.  There are some interesting points here.  The first is that if you do not set the ThreadPool MinThreads property to the anticipated number of threads you will use, the delay of creating these threads on the fly is enough to fail all of the requests with a timeout exception.  Next, note the Close() call on the response.  No matter what we do to the code, if you do not do the Close(), those sockets will remain open and a new socket will be created for each request (you will see that in a network trace).  This will also prevent any of the connections in the ServicePoint object from being freed, so no additional requests can be served.  Another thing that is sort of cool about this code is that it simulates the ASP.NET environment as far as the thread pool idea goes.  If your sample code works OK in this test app, chances are you will be able successfully run similar code in ASP.NET with the same ThreadPool and Connection settings.  Reference Asp.Net tuning: http://msdn.microsoft.com/en-us/library/ms998583.aspx

Next play with this line of code:

// 2 is Default Connection Limit

ServicePointManager.DefaultConnectionLimit = 2;

Set it to 12 and see how the number of successful requests increases.  Now set it to 4.  You will see a different number of requests succeed and fail depending on the sleep value simulated in the request (System.Threading.Thread.Sleep(500);), the response time of your target server to provide the content, network traffic and the performance of your machine.  Similar factors will affect your real world application.  Also, I set the timeout for the web request to 4 seconds because I expect the result to come back very quickly.  This may or may not be realistic in your situation.  Only testing and careful design will allow you to determine what best works for your application.       

The question often comes up “why can’t I set the DefaultConnectionLimit to a HUGE number”?  You can set this number in the hundreds if you want.  This will take more computer resources however.  More threads need to be created, more sockets open and the target server will be taxed more.  It is all a balance of resources and expected performance.  These factors need to be considered during design and testing.

The value MaxServicePointIdleTime comes in to play when you consider performance as well.  This value indicates how long a socket will be kept open after a request and response, before the client gracefully closes the socket down.  Again, the design and performance of your system will determine what a proper value would be for you situation.  If you close unused sockets down too fast, then the socket will never get reused by another request (remember I said the connection creation time is very expensive).  If the value is too long, then sockets (read resources, threads cpu time and memory) may be used unnecessarily at the source and target computer.  Finding the correct balance is important.  In addition, if the MaxServicePointIdleTime is not less than the server Keep-Alive timeout, there is a chance that your code will start using a connection at the same time the server is sending a message to close the socket resulting in a WebException.

Example App Design

Let’s work through an example together.  Let’s say this application is designed to handle 40 users every 4 seconds.  Let’s also assume it will take .5 seconds to process a web request in your code.  If this was a single threaded application, 40 users processed in 4 seconds means 4/40 or .1 seconds per user would have to be the performance of your application.  Given that the request to the backend server is .5 seconds (normally) there is no way that your single threaded application can handle this load and meet the spec.  The very best you could hope for is 20 seconds!  So you decide to create a multi threaded solution based on my example and try to apply the principles in this article.  Change the number of requests to 40 in the sample code to simulate all the requests coming in.  If this were a single threaded app, then the best we could do is 4 seconds/.5 processing time = 8 requests.  So in theory if we could do 6 simultaneous requests over the 4 second time period at 8 requests per thread, we would get abound 6*8 or 48 requests done in 4 seconds.  So set the DefaultConnectionLimit to 6 and let’s test.

Well, my results are: about 10 of the 40 connections timed out.  Why is that, and what in my calculation is wrong?  First, the sleep value I have in my code to simulate the time it takes to get a request back from the server is added to the actual time it took for the request to come back, so the socket was not freed in exactly .5 seconds, it was a little longer.  Also, it takes some time for those 40 worker threads to start processing, they are background worker threads an run at a lower priority than the main thread, so the main thread (adding the work) is going to get a higher priority and is running in a tight loop and so the worker threads will be delayed a little before they start working.  Finally there is the overhead of the connections initially spinning up!  To see if the time spent to get the connections up is part of the delay, I added this code to see if once the 6 connections are created and maintained by the ServicePoint object, would the performance be as I expected after the      WaitHandle.WaitAll(manualEvents); code in the sample code:

for (int i = 0; i < numberRequests; i++)

        {

            //Create a class to pass info to the thread proc

            threadStateInfo theInfo = new threadStateInfo();

            manualEvents[i].Reset();//Unsignalled state           
            theInfo.evtReset = manualEvents[i];

            theInfo.iReqNumber = i+40; //just to track what request this is

            theInfo.strUrl = httpSite; // the URL to open

            ThreadPool.QueueUserWorkItem(ThreadProc, theInfo);  //Let the thread pool do the work

        }

        WaitHandle.WaitAll(manualEvents);

Sure enough!  On my system, once the 6 connections are created in the first loop, each of the second set of requests succeeds.

Next let’s play with the MaxServicePointIdleTime to see how this affects the performance.  Let’s say in our case we expect that the 40 user in 4 seconds rate occurs in bursts every 6 seconds.  In other words, 40 users come in, there is 4 seconds processing time, 2 second delay and another 40 users come in.  Simulate this in code with this sleep statement just before the new loop you added in the previous step:

System.Threading.Thread.Sleep(2000);

On my machine that seemed to perform well.  But let’s see how the MaxServicePointIdleTime affects this.  Set the idle time to .5 seconds at the top of the code:
// 2 is Default Connection Limit
ServicePointManager.DefaultConnectionLimit = 6;
ServicePointManager.MaxServicePointIdleTime = 500;

There are two different structures you can query in order to retrieve server certificate information.  You must do some sort of request to complete the SSL server certificate exchange, and then you can retrieve this information.  Here is an example of that technique.

// CertificateInfo.cpp : Defines the entry point for the console application.
// This is sample code. You are responsible for input validation, and error processing.
// The following macros define the minimum required platform. The minimum required platform
// is the earliest version of Windows, Internet Explorer etc. that has the necessary features to run
// your application. The macros work by enabling all features available on platform versions up to and
// including the version specified.
// Modify the following defines if you have to target a platform prior to the ones specified below.
// Refer to MSDN for the latest info on corresponding values for different platforms.
#ifndef _WIN32_WINNT // Specifies that the minimum required platform is Windows Vista.
#define _WIN32_WINNT 0x0600 // Change this to the appropriate value to target other versions of Windows.
#endif
#ifndef WIN32_LEAN_AND_MEAN
#define WIN32_LEAN_AND_MEAN
#endif
#include <windows.h>
#include <stdio.h>
#include <iostream>
#include <tchar.h>
#include <wininet.h> // make sure you link with WinInet.lib

int _tmain(int argc, _TCHAR* argv[])
{

  if (argc < 2)
  {
    std::cout << "Please specify and HTTPS address to query the certificate information for" << std::endl;
  }
  else
  {
    // Get Scheme and HostName from URL passed in
    ::URL_COMPONENTS urlComp;
    ::ZeroMemory((void *)&urlComp,sizeof(URL_COMPONENTS));
    urlComp.dwSchemeLength = -1;
    urlComp.dwHostNameLength = -1;
    urlComp.dwStructSize = sizeof(URL_COMPONENTS);
    if (!::InternetCrackUrl(argv[1],wcslen(argv[1]),0,&urlComp))
    {
        std::cout << "InternetCrackUrl failed" << std::endl;
    }
    else
    {
        if (urlComp.nScheme != INTERNET_SCHEME_HTTPS)
        {
            std::cout << "Please specify and HTTPS address to query the certificate information for: https://www.someserver.com" << std::endl;
        }
        else
        {
            std::wcout << "opening connection to host: " << (LPWSTR)urlComp.lpszHostName << std::endl;

            HINTERNET hInternet = ::InternetOpen(_T("Test Certificate Info"), INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
            if (hInternet)
            {
                HINTERNET hConnect = ::InternetConnect( hInternet, urlComp.lpszHostName, INTERNET_DEFAULT_HTTPS_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, INTERNET_FLAG_SECURE, NULL);
                if (hConnect)
                {
                    // you could use HEAD,GET or POST here. HEAD will not return the body of the page so will be more efficient
                    HINTERNET hRequest = ::HttpOpenRequest(hConnect,_T("HEAD"), argv[1], NULL, NULL,
NULL, INTERNET_FLAG_SECURE, NULL); 
 
                    if (NULL != hRequest)
                    { 
                        // Send
                        BOOL fRet = ::HttpSendRequest( hRequest, _T(""), 0, NULL, 0);

                        if (fRet)
                        {
                            char certificateInfoStr[2048];
                            certificateInfoStr[0] = '\0';
                            DWORD certInfoLength = 2048;
                            if ( TRUE  == ::InternetQueryOption( hRequest, INTERNET_OPTION_SECURITY_CERTIFICATE, &certificateInfoStr, &certInfoLength) )
                            {
                                if ( certificateInfoStr )
                                {
                                    std::cout << (char *) certificateInfoStr << std::endl;
                                }
                            } 
                            else
                            {
                                // process error here
                                DWORD error = GetLastError(); 
                            }

                            INTERNET_CERTIFICATE_INFO certificateInfo;
                            certInfoLength = sizeof(INTERNET_CERTIFICATE_INFO);
                            if ( TRUE == InternetQueryOption( hRequest,
                                                                              INTERNET_OPTION_SECURITY_CERTIFICATE_STRUCT,
                                                                              &certificateInfo,
                                                                              &certInfoLength) )
                            { 
                                // free up memory with LocalFree()

                                if ( certificateInfo.lpszEncryptionAlgName )
                                {
                                    std::cout << (char *) certificateInfo.lpszEncryptionAlgName << std::endl;
                                    LocalFree( certificateInfo.lpszEncryptionAlgName);
                                }

                                if ( certificateInfo.lpszIssuerInfo )
                                {
                                    std::cout << (char *) certificateInfo.lpszIssuerInfo << std::endl;
                                    LocalFree( certificateInfo.lpszIssuerInfo );
                                }

                                if ( certificateInfo.lpszProtocolName )
                                {
                                    std::cout << (char *) certificateInfo.lpszProtocolName << std::endl;
                                    LocalFree( certificateInfo.lpszProtocolName );
                                }

                                if ( certificateInfo.lpszSignatureAlgName )
                                {
                                    std::cout << (char *) certificateInfo.lpszSignatureAlgName << std::endl;
                                    LocalFree( certificateInfo.lpszSignatureAlgName );
                                }

                                if ( certificateInfo.lpszSubjectInfo )
                                {
                                    std::cout << (char *) certificateInfo.lpszSubjectInfo << std::endl;
                                    LocalFree( certificateInfo.lpszSubjectInfo );
                                }

                            } 
                            else 
                            { 
                                    // process error
                                    DWORD error = GetLastError(); 
                            } 
                        }

                        ::InternetCloseHandle(hRequest);
                    }
                    else 
                    {
                        std::cout << "HttpOpenRequest failed" << std::endl;
                    }

                }
                else
                {
                    std::cout << "InternetConnect failed" << std::endl;
                }
                ::InternetCloseHandle(hInternet);
            }
            else
            {
                 std::cout << "InternetOpen failed" << std::endl;
            }
        }
    }
  }

return 0;
}