Skip to content

Commit 35f721d

Browse files
BillyONealBillyONeal
authored
Merge pull request #687 from ZekeSnider/certificate-revocation-client-config
Disable cert revocation check if cert validation is disabled
2 parents ee2cde6 + 074590c commit 35f721d

File tree

2 files changed

+73
-21
lines changed

2 files changed

+73
-21
lines changed

Release/src/http/client/http_client_winhttp.cpp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -667,7 +667,7 @@ class winhttp_client : public _http_client_communicator
667667
}
668668

669669
// Enable the certificate revocation check
670-
if (m_secure)
670+
if (m_secure && client_config().validate_certificates())
671671
{
672672
DWORD dwEnableSSLRevocOpt = WINHTTP_ENABLE_SSL_REVOCATION;
673673
if (!WinHttpSetOption(winhttp_context->m_request_handle, WINHTTP_OPTION_ENABLE_FEATURE, &dwEnableSSLRevocOpt, sizeof(dwEnableSSLRevocOpt)))

Release/tests/functional/http/client/outside_tests.cpp

Lines changed: 72 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -75,7 +75,7 @@ TEST_FIXTURE(uri_address, outside_wikipedia_compressed_http_response)
7575

7676
auto s = response.extract_utf8string().get();
7777
VERIFY_IS_FALSE(s.empty());
78-
78+
7979
utility::string_t encoding;
8080
VERIFY_IS_TRUE(response.headers().match(web::http::header_names::content_encoding, encoding));
8181

@@ -93,14 +93,14 @@ TEST_FIXTURE(uri_address, outside_google_dot_com)
9393
VERIFY_ARE_EQUAL(status_codes::OK, response.status_code());
9494
}
9595
}
96-
96+
9797
TEST_FIXTURE(uri_address, multiple_https_requests)
9898
{
9999
handle_timeout([&]
100100
{
101101
// Use code.google.com instead of www.google.com, which redirects
102102
http_client client(U("https://code.google.com"));
103-
103+
104104
http_response response;
105105
for(int i = 0; i < 5; ++i)
106106
{
@@ -155,38 +155,90 @@ TEST_FIXTURE(uri_address, no_transfer_encoding_content_length)
155155
// https://www.ssllabs.com/ssltest/
156156
// http://www.internetsociety.org/deploy360/resources/dane-test-sites/
157157
// https://onlinessl.netlock.hu/#
158-
TEST(server_selfsigned_cert)
158+
static void test_failed_ssl_cert(const uri& base_uri)
159159
{
160-
handle_timeout([]
160+
handle_timeout([&base_uri]
161161
{
162-
http_client client(U("https://self-signed.badssl.com/"));
162+
http_client client(base_uri);
163163
auto requestTask = client.request(methods::GET);
164164
VERIFY_THROWS(requestTask.get(), http_exception);
165165
});
166166
}
167167

168-
TEST(server_hostname_mismatch)
168+
#if !defined(__cplusplus_winrt)
169+
static void test_ignored_ssl_cert(const uri& base_uri)
169170
{
170-
handle_timeout([]
171+
handle_timeout([&base_uri]
171172
{
172-
http_client client(U("https://wrong.host.badssl.com/"));
173-
auto requestTask = client.request(methods::GET);
174-
VERIFY_THROWS(requestTask.get(), http_exception);
173+
http_client_config config;
174+
config.set_validate_certificates(false);
175+
http_client client(base_uri, config);
176+
auto request = client.request(methods::GET).get();
177+
VERIFY_ARE_EQUAL(status_codes::OK, request.status_code());
175178
});
176179
}
180+
#endif // !defined(__cplusplus_winrt)
181+
182+
TEST(server_selfsigned_cert)
183+
{
184+
test_failed_ssl_cert(U("https://self-signed.badssl.com/"));
185+
}
186+
187+
#if !defined(__cplusplus_winrt)
188+
TEST(server_selfsigned_cert_ignored)
189+
{
190+
test_ignored_ssl_cert(U("https://self-signed.badssl.com/"));
191+
}
192+
#endif // !defined(__cplusplus_winrt)
193+
194+
TEST(server_hostname_mismatch)
195+
{
196+
test_failed_ssl_cert(U("https://wrong.host.badssl.com/"));
197+
}
198+
199+
#if !defined(__cplusplus_winrt)
200+
TEST(server_hostname_mismatch_ignored)
201+
{
202+
test_ignored_ssl_cert(U("https://wrong.host.badssl.com/"));
203+
}
204+
#endif // !defined(__cplusplus_winrt)
177205

178206
TEST(server_cert_expired)
179207
{
180-
handle_timeout([]
181-
{
182-
http_client_config config;
183-
config.set_timeout(std::chrono::seconds(1));
184-
http_client client(U("https://expired.badssl.com/"), config);
185-
auto requestTask = client.request(methods::GET);
186-
VERIFY_THROWS(requestTask.get(), http_exception);
187-
});
208+
test_failed_ssl_cert(U("https://expired.badssl.com/"));
209+
}
210+
211+
#if !defined(__cplusplus_winrt)
212+
TEST(server_cert_expired_ignored)
213+
{
214+
test_ignored_ssl_cert(U("https://expired.badssl.com/"));
215+
}
216+
#endif // !defined(__cplusplus_winrt)
217+
218+
TEST(server_cert_revoked)
219+
{
220+
test_failed_ssl_cert(U("https://revoked.badssl.com/"));
221+
}
222+
223+
#if !defined(__cplusplus_winrt)
224+
TEST(server_cert_revoked_ignored)
225+
{
226+
test_ignored_ssl_cert(U("https://revoked.badssl.com/"));
227+
}
228+
#endif // !defined(__cplusplus_winrt)
229+
230+
TEST(server_cert_untrusted)
231+
{
232+
test_failed_ssl_cert(U("https://untrusted-root.badssl.com/"));
188233
}
189234

235+
#if !defined(__cplusplus_winrt)
236+
TEST(server_cert_untrusted_ignored)
237+
{
238+
test_ignored_ssl_cert(U("https://untrusted-root.badssl.com/"));
239+
}
240+
#endif // !defined(__cplusplus_winrt)
241+
190242
#if !defined(__cplusplus_winrt)
191243
TEST(ignore_server_cert_invalid,
192244
"Ignore:Android", "229",
@@ -204,7 +256,7 @@ TEST(ignore_server_cert_invalid,
204256
VERIFY_ARE_EQUAL(status_codes::OK, request.status_code());
205257
});
206258
}
207-
#endif
259+
#endif // !defined(__cplusplus_winrt)
208260

209261
TEST_FIXTURE(uri_address, outside_ssl_json)
210262
{

0 commit comments

Comments
 (0)