Skip to content

Implement host override of CN checking in the WinHTTP backend #824

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Aug 10, 2018
Merged

Implement host override of CN checking in the WinHTTP backend #824

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
b31be1d
Implement CN overrides via the Host: header in the WinHTTP backend.
BillyONeal Aug 2, 2018
4c36fbd
Repair lack of fallback CN verification on Windows.
BillyONeal Aug 3, 2018
086c5e8
Set security settings even for non-HTTPS URIs in WinHTTP, in case we …
BillyONeal Aug 3, 2018
fac88ab
Add test to make sure this doesn't explode.
BillyONeal Aug 3, 2018
58ea59d
Repair CPPREST_EXCLUDE_WEBSOCKETS support.
BillyONeal Aug 9, 2018
0fe2140
Add m_ to customCnCheck.
BillyONeal Aug 9, 2018
05eec2d
Merge remote-tracking branch 'upstream/master' into cn_checking
BillyONeal Aug 9, 2018
a73795f
Move x509_cert_utilities.h out of public headers.
BillyONeal Aug 10, 2018
7dc518e
Add m_ to cachedEncodedCert.
BillyONeal Aug 10, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions Release/src/http/client/http_client_asio.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@

#include "cpprest/base_uri.h"
#include "cpprest/details/http_helpers.h"
#include "cpprest/details/x509_cert_utilities.h"
#include "../common/x509_cert_utilities.h"
#include "http_client_impl.h"
#include "pplx/threadpool.h"
#include <memory>
Expand Down Expand Up @@ -468,7 +468,7 @@ class asio_context final : public request_context, public std::enable_shared_fro
, m_needChunked(false)
, m_timer(client->client_config().timeout<std::chrono::microseconds>())
, m_connection(connection)
#if defined(__APPLE__) || (defined(ANDROID) || defined(__ANDROID__))
#ifdef CPPREST_PLATFORM_ASIO_CERT_VERIFICATION_AVAILABLE
, m_openssl_failed(false)
#endif
{
Expand Down Expand Up @@ -1032,11 +1032,11 @@ class asio_context final : public request_context, public std::enable_shared_fro
// finally by the root CA self signed certificate.

const auto& host = utility::conversions::to_utf8string(m_http_client->base_uri().host());
#if defined(__APPLE__) || (defined(ANDROID) || defined(__ANDROID__))
// On OS X, iOS, and Android, OpenSSL doesn't have access to where the OS
// stores keychains. If OpenSSL fails we will doing verification at the
// end using the whole certificate chain so wait until the 'leaf' cert.
// For now return true so OpenSSL continues down the certificate chain.
#ifdef CPPREST_PLATFORM_ASIO_CERT_VERIFICATION_AVAILABLE
// Attempt to use platform certificate validation when it is available:
// If OpenSSL fails we will doing verification at the end using the whole certificate chain,
// so wait until the 'leaf' cert. For now return true so OpenSSL continues down the certificate
// chain.
if (!preverified)
{
m_openssl_failed = true;
Expand Down Expand Up @@ -1757,7 +1757,7 @@ class asio_context final : public request_context, public std::enable_shared_fro
boost::asio::streambuf m_body_buf;
std::shared_ptr<asio_connection> m_connection;

#if defined(__APPLE__) || (defined(ANDROID) || defined(__ANDROID__))
#ifdef CPPREST_PLATFORM_ASIO_CERT_VERIFICATION_AVAILABLE
bool m_openssl_failed;
#endif
};
Expand Down
Loading