Added support to ignore invalid cert common name #4361
Conversation
Jinming-Hu
added
Azure.Core
Client
Jinming-Hu
requested review from
RickWinter,
ahsonkhan,
antkmsft,
vhvb1989,
gearama and
LarryOsterman
as code owners
|
QQ: Where is the libcurl version of this fix? Or does Libcurl already ignore invalid CN names? |
It turns out libcurl will ignore all these kinds of errors when verify peer is disabled. WinHTTP, however, has more granular control. https://learn.microsoft.com/en-us/windows/win32/winhttp/option-flags#winhttp_option_security_flags |
There are global options now for disabling peer validation, so if you're ok with disabling peer validation on curl, why not also disable it globally? In general, I'm really not a fan of per-transport options, because enabling them forces the customer to manually create their own transport object for the pipeline (which then forces them to make curl vs winhttp decisions, etc). So I would much prefer to see new transport features be available for all of them. |
Are you referring to TransportOptions? There's no option to disable peer validation in there. In other words, if customer wants to disable peer validation, he has to specify a transport (curl or winhttp). That's what I always think. Am I wrong? |
@#$ - for some reason, I thought I'd added them with the websocket work. IMHO, this would be better set as a global option to disable peer validation that would then be modified to the appropriate HTTP transport (so for WInHTTP, it would set the existing IgnoreUnknownCertificateAuthority and the new IgnoreInvalidCertificateCommonName field, for curl it would set SslVerifyPeer to false. That way customers aren't forced to conditionally compile their code depending on what HTTP transport they are using. My rule of thumb for these kinds of things is: "If the same functionality is implemented by more than one transport, it should be in TransportOptions, if the option is only relevant to a single transport, it should be in per-transport options". |
Done! |
|
@LarryOsterman Can you take a look at the updated changes, to ensure you're happy with the it, especially the variable name? |
There was a problem hiding this comment.
My only concern is that the semantics of SslVerifyPeer is backwards from the other options (and yes, I know that the CURL option is SslVerifyPeer - that makes sense in the CURL context since this is exactly the CURL option name. But this setting applies to all transports.
|
@LarryOsterman Can you review this PR again? |
| @@ -311,6 +311,7 @@ Azure::Core::Http::CurlTransportOptions CurlTransportOptionsFromTransportOptions | |||
| curlOptions.SslOptions.PemEncodedExpectedRootCertificates | |||
| = PemEncodeFromBase64(transportOptions.ExpectedTlsRootCertificate, "CERTIFICATE"); | |||
| } | |||
| curlOptions.SslVerifyPeer = !transportOptions.DisableTlsCertificateValidation; | |||
There was a problem hiding this comment.
Just making sure (because it seems to be ok), but @LarryOsterman would we need to update the connection key logic that we use for the connection pooling/caching? It is meant to be unique for each set of options (based on SslVerifyPeer being set).
There was a problem hiding this comment.
Good question: Based on my reading, the SslVerifyPeer option is already included in the connection key logic - see line 1284 of GetConnectionKey.
* update comment (#4364) * update comment * jghjg * update broken link * Update sdk/keyvault/tools/cleanup/src/cleanup.cpp Co-authored-by: Anton Kolesnyk <[email protected]> --------- Co-authored-by: Anton Kolesnyk <[email protected]> * Docker comment (#4375) * update comment * add comment about vcpkg * dsfs * Trigger`keyvault` on proxy changes (#4343) * autotrigger the keyvault and storage CI when a testproxy file is changed * Generate API review for C++ using new parser (#4302) * Add vmImage back to common perf.yml - Fixes #5466 - Partially reverts #5456 (#4376) Co-authored-by: Mike Harder <[email protected]> * Fix pipelines path (#4358) * test path * qwq * dsda * asas * dsada * sdsds * Update sdk/keyvault/azure-security-keyvault-certificates/perf-tests.yml Co-authored-by: Mike Harder <[email protected]> * Update sdk/keyvault/azure-security-keyvault-certificates/perf-tests.yml Co-authored-by: Mike Harder <[email protected]> * remove warmup --------- Co-authored-by: Mike Harder <[email protected]> * Test proxy & storage tests improvements (#4241) * Temporarily pin Node 18 to 18.13.0 - Fixes #5536 (#4378) Co-authored-by: Mike Harder <[email protected]> * Storage tests improvement (#4382) * Update CODEOWNERS (#4380) * show headers and query parameters in storage CI pipeline (#4379) * Sync eng/common directory with azure-sdk-tools for PR 5431 #2501 Co-authored-by: Konrad Jamrozik <[email protected]> * Sync eng/common directory with azure-sdk-tools for PR 5562 (#4384) * Add todos to update packages to pick up the newest CODEOWNERS interpreter * update --------- Co-authored-by: Konrad Jamrozik <[email protected]> * Fix Share Client failure #4377 (#4381) * Fix Share Client failure #4377 * decrease request count to avoid throttling errors for storage tests (#4385) * Sync eng/common directory with azure-sdk-tools for PR 5568 (#4387) * we encourage folks to place their assets.jsons at the package level * update generate-assets-json.ps1 to only include src/**/session-records so as to avoid picking up the duplicated 'target' sessionrecords --------- Co-authored-by: scbedd <[email protected]> * Add support to ignore invalid cert common name (#4361) * update to version 7.4 for admin. update tests (#4388) * update proxy version to include Info/Active against individual sessions + allow delayed response (#4391) Co-authored-by: scbedd <[email protected]> * Sync eng/common directory with azure-sdk-tools for PR 5540 (#4396) * add parameter to set cadl emitter options * remove emitter name in the additional parameter --------- Co-authored-by: chunyu3 <[email protected]> * Follow-up to update changelog to reflect community contribution (#4393) * Follow-up to update changelog to reflect community contribution * Upgrade cspell version from 0.1 to 0.2 * logging api post request body (#4404) Co-authored-by: Albert Cheng <[email protected]> * Sync eng/common directory with azure-sdk-tools for PR 5595 (#4400) * Use "npm ci" to install cspell and respect package-lock.json * Review feedback * Pipe npm ci output to Write-Host --------- Co-authored-by: Daniel Jurek <[email protected]> --------- Co-authored-by: George Arama <[email protected]> Co-authored-by: Anton Kolesnyk <[email protected]> Co-authored-by: Scott Beddall <[email protected]> Co-authored-by: Praven Kuttappan <[email protected]> Co-authored-by: Azure SDK Bot <[email protected]> Co-authored-by: Mike Harder <[email protected]> Co-authored-by: JinmingHu <[email protected]> Co-authored-by: Konrad Jamrozik <[email protected]> Co-authored-by: chunyu3 <[email protected]> Co-authored-by: Ahson Khan <[email protected]> Co-authored-by: Albert Cheng <[email protected]> Co-authored-by: Daniel Jurek <[email protected]>
* update comment (Azure#4364) * update comment * jghjg * update broken link * Update sdk/keyvault/tools/cleanup/src/cleanup.cpp Co-authored-by: Anton Kolesnyk <[email protected]> --------- Co-authored-by: Anton Kolesnyk <[email protected]> * Docker comment (Azure#4375) * update comment * add comment about vcpkg * dsfs * Trigger`keyvault` on proxy changes (Azure#4343) * autotrigger the keyvault and storage CI when a testproxy file is changed * Generate API review for C++ using new parser (Azure#4302) * Add vmImage back to common perf.yml - Fixes Azure#5466 - Partially reverts Azure#5456 (Azure#4376) Co-authored-by: Mike Harder <[email protected]> * Fix pipelines path (Azure#4358) * test path * qwq * dsda * asas * dsada * sdsds * Update sdk/keyvault/azure-security-keyvault-certificates/perf-tests.yml Co-authored-by: Mike Harder <[email protected]> * Update sdk/keyvault/azure-security-keyvault-certificates/perf-tests.yml Co-authored-by: Mike Harder <[email protected]> * remove warmup --------- Co-authored-by: Mike Harder <[email protected]> * Test proxy & storage tests improvements (Azure#4241) * Temporarily pin Node 18 to 18.13.0 - Fixes Azure#5536 (Azure#4378) Co-authored-by: Mike Harder <[email protected]> * Storage tests improvement (Azure#4382) * Update CODEOWNERS (Azure#4380) * show headers and query parameters in storage CI pipeline (Azure#4379) * Sync eng/common directory with azure-sdk-tools for PR 5431 Azure#2501 Co-authored-by: Konrad Jamrozik <[email protected]> * Sync eng/common directory with azure-sdk-tools for PR 5562 (Azure#4384) * Add todos to update packages to pick up the newest CODEOWNERS interpreter * update --------- Co-authored-by: Konrad Jamrozik <[email protected]> * Fix Share Client failure Azure#4377 (Azure#4381) * Fix Share Client failure Azure#4377 * decrease request count to avoid throttling errors for storage tests (Azure#4385) * Sync eng/common directory with azure-sdk-tools for PR 5568 (Azure#4387) * we encourage folks to place their assets.jsons at the package level * update generate-assets-json.ps1 to only include src/**/session-records so as to avoid picking up the duplicated 'target' sessionrecords --------- Co-authored-by: scbedd <[email protected]> * Add support to ignore invalid cert common name (Azure#4361) * update to version 7.4 for admin. update tests (Azure#4388) * update proxy version to include Info/Active against individual sessions + allow delayed response (Azure#4391) Co-authored-by: scbedd <[email protected]> * Sync eng/common directory with azure-sdk-tools for PR 5540 (Azure#4396) * add parameter to set cadl emitter options * remove emitter name in the additional parameter --------- Co-authored-by: chunyu3 <[email protected]> * Follow-up to update changelog to reflect community contribution (Azure#4393) * Follow-up to update changelog to reflect community contribution * Upgrade cspell version from 0.1 to 0.2 * logging api post request body (Azure#4404) Co-authored-by: Albert Cheng <[email protected]> * Sync eng/common directory with azure-sdk-tools for PR 5595 (Azure#4400) * Use "npm ci" to install cspell and respect package-lock.json * Review feedback * Pipe npm ci output to Write-Host --------- Co-authored-by: Daniel Jurek <[email protected]> --------- Co-authored-by: George Arama <[email protected]> Co-authored-by: Anton Kolesnyk <[email protected]> Co-authored-by: Scott Beddall <[email protected]> Co-authored-by: Praven Kuttappan <[email protected]> Co-authored-by: Azure SDK Bot <[email protected]> Co-authored-by: Mike Harder <[email protected]> Co-authored-by: JinmingHu <[email protected]> Co-authored-by: Konrad Jamrozik <[email protected]> Co-authored-by: chunyu3 <[email protected]> Co-authored-by: Ahson Khan <[email protected]> Co-authored-by: Albert Cheng <[email protected]> Co-authored-by: Daniel Jurek <[email protected]>
We need this feature when using storage library in Azure Storage server-side codebase. TLS certificate used for testing is self-signed. Service needs to be accessed via multiple hostnames including localhost, so we need to be able to ignore CN mismatch errors.
Pull Request Checklist
Please leverage this checklist as a reminder to address commonly occurring feedback when submitting a pull request to make sure your PR can be reviewed quickly:
See the detailed list in the contributing guide.