cpp-httplib
cpp-httplib copied to clipboard
yhirose
Default using Windows Schannel for SSL/TLS on Windows
Follow https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certgetcertificatechain for related flags.
Closes #1978
I noticed that there is verify_result_ for storing OpenSSL result and is retrieved by get_openssl_verify_result(), but I have no idea how to set it. Please advise.
@solarispika sorry for the delay. According to this comment https://github.com/yhirose/cpp-httplib/issues/1978#issuecomment-2703522574, you mentioned you ended up bypassing CRL in your production server.
Do you think that the current pull request which doesn't have the bypassing code will affect a number of Windows users? If not many, I don't mind merging this code. But it has a risk to affect many users, I would like you to implement a feature flag like CPPHTTPLIB_USE_WINDOWS_AUTOMATIC_ROOT_CERTIFICATES_UPDATE. If it's not set, the original code will be used.
Hi @yhirose
I am not sure how many of them will be, possibly the number being proportional to users located in China. I can add a toggle for this feature. It looks like you prefer users to enable this feature, but not users to disable it, right?
@solarispika , (1) If a number of users will be affected by this, I prefer making it an opt-in feature with CPPHTTPLIB_USE_WINDOWS_AUTOMATIC_ROOT_CERTIFICATES_UPDATE.
(2) But if we expect only few users will be affected, we can enable this feature by the default and uses can disable it with CPPHTTPLIB_DISABLE_WINDOWS_AUTOMATIC_ROOT_CERTIFICATES_UPDATE.
I prefer #2.
@yhirose
I agree with you on enabling the feature by default.
I also update CMake which enables the feature HTTPLIB_USE_WINDOWS_AUTOMATIC_ROOT_CERTIFICATES_UPDATE by default, and if disabled, define CPPHTTPLIB_DISABLE_WINDOWS_AUTOMATIC_ROOT_CERTIFICATES_UPDATE.
Could you please take a look at unit test errors on 'test / windows with SSL (pull_request)'?
Sure, it looks like https://github.com/yhirose/cpp-httplib/pull/2169 saves openssl errors which I didn't notice. I'll try to fix it.
@yhirose
I found that it is hard to map errors between Win32 API and OpenSSL.
What do you recommend? Is it proper to mask those checks when Schannel is used?
@solarispika I actually don't know what do to. Could you please investigate why those errors occur before making any change?
@yhirose
These errors are due to https://github.com/yhirose/cpp-httplib/pull/2169 adding ssl_error and ssl_openssl_error member functions to class Result for retrieving OpenSSL errors, and some tests being extended for these errors.
As those member functions are defined for OpenSSL, it is inappropriate for me to use it directly for errors coming from Windows API.
@solarispika it looks that the Windows code returns only SSLServerVerification and SSLServerHostnameVerification which are kind of general errors. However, it seems like some of wincrypt APIs can tell us more about errors, and they could be helpful for users. How about to make wincrypt_verify_result_ and get_wincrypt_verify_result() to store such a wincrypt specific error? Is it too much?
@solarispika it looks that the Windows code returns only
SSLServerVerificationandSSLServerHostnameVerificationwhich are kind of general errors. However, it seems like some of wincrypt APIs can tell us more about errors, and they could be helpful for users. How about to makewincrypt_verify_result_andget_wincrypt_verify_result()to store such a wincrypt specific error? Is it too much?
@yhirose I have no experience using those APIs, so I can't give any suggestions on it now. It needs further investigations, and I think they might be useful.