WinHttp TLS is completely disabled if m_verifySSL is false

[renjipanicker]

Describe the bug

In the file;: aws-cpp-sdk-core/source/http/windows/WinHttpSyncHttpClient.cpp

Line 541 (in function OpenRequest): DWORD requestFlags = request->GetUri().GetScheme() == Scheme::HTTPS && m_verifySSL ? WINHTTP_FLAG_SECURE : 0;

This code passes 0 instead of WINHTTP_FLAG_SECURE if m_verifySSL is false. Therefore the connection is not TLS enabled.

This is incorrect behaviour.

Expected Behavior

If the scheme is HTTPS and m_verifySSL is false, it should initiate a TLS connection, and ignore certificate errors.

Current Behavior

If the scheme is HTTPS and m_verifySSL is false, it initiates a non-TLS connection.

Reproduction Steps

Create an outgoing HTTPS request to S3, and set m_verifySSL to false. Use Wireshark or equivalent to observe that the connection is not TLS enabled.

Possible Solution

Remove the && m_verifySSL from the condition.

Additional Information/Context

No response

AWS CPP SDK version used

1.11.285

Compiler and Version used

Visual Studio 2019

Operating System and version

Windows Server 2019

[jmklix]

Thanks for finding this bug and pointing it out to us. We are working on a fix.

[sbiscigl]

Created https://github.com/aws/aws-sdk-cpp/pull/3313 which will revert to the old behavior, and creates a client configuraiton for users to use anonymous auth to satisfy the original issue.

[sbiscigl]

should be fixed on main now, tagged this afternoon, give a shout if you have any questions

[github-actions[bot]]

This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.