From 764aca7203da3f6c72e45fd87300f21949733512 Mon Sep 17 00:00:00 2001 From: Jinming Hu Date: Wed, 15 Feb 2023 14:29:59 +0800 Subject: [PATCH 1/3] Added support to ignore invalid cert common name --- sdk/core/azure-core/CHANGELOG.md | 2 ++ .../inc/azure/core/http/win_http_transport.hpp | 5 +++++ .../azure-core/src/http/winhttp/win_http_transport.cpp | 10 ++++++++++ 3 files changed, 17 insertions(+) diff --git a/sdk/core/azure-core/CHANGELOG.md b/sdk/core/azure-core/CHANGELOG.md index a3900fb95e..10ffab6577 100644 --- a/sdk/core/azure-core/CHANGELOG.md +++ b/sdk/core/azure-core/CHANGELOG.md @@ -4,6 +4,8 @@ ### Features Added +- Added the ability to ignore invalid certificate common name for TLS connections in WinHTTP transport. + ### Breaking Changes ### Bugs Fixed diff --git a/sdk/core/azure-core/inc/azure/core/http/win_http_transport.hpp b/sdk/core/azure-core/inc/azure/core/http/win_http_transport.hpp index 9ce13dd502..1efdbc17b8 100644 --- a/sdk/core/azure-core/inc/azure/core/http/win_http_transport.hpp +++ b/sdk/core/azure-core/inc/azure/core/http/win_http_transport.hpp @@ -70,6 +70,11 @@ namespace Azure { namespace Core { */ bool IgnoreUnknownCertificateAuthority{false}; + /** + * @brief When `true`, allows an invalid common name in a certificate. + */ + bool IgnoreInvalidCertificateCommonName{false}; + /** * Proxy information. */ diff --git a/sdk/core/azure-core/src/http/winhttp/win_http_transport.cpp b/sdk/core/azure-core/src/http/winhttp/win_http_transport.cpp index 236b921479..e32505bc1c 100644 --- a/sdk/core/azure-core/src/http/winhttp/win_http_transport.cpp +++ b/sdk/core/azure-core/src/http/winhttp/win_http_transport.cpp @@ -918,6 +918,16 @@ _detail::WinHttpRequest::WinHttpRequest( } } + if (options.IgnoreInvalidCertificateCommonName) + { + auto option = SECURITY_FLAG_IGNORE_CERT_CN_INVALID; + if (!WinHttpSetOption( + m_requestHandle.get(), WINHTTP_OPTION_SECURITY_FLAGS, &option, sizeof(option))) + { + GetErrorAndThrow("Error while setting ignore invalid certificate common name."); + } + } + if (options.EnableCertificateRevocationListCheck) { DWORD value = WINHTTP_ENABLE_SSL_REVOCATION; From 0cdc6abfba8d1bd6de3579e4675ada038710b81d Mon Sep 17 00:00:00 2001 From: Jinming Hu Date: Wed, 22 Feb 2023 14:02:53 +0800 Subject: [PATCH 2/3] f --- sdk/core/azure-core/CHANGELOG.md | 1 + .../azure-core/inc/azure/core/http/policies/policy.hpp | 8 ++++++++ sdk/core/azure-core/src/http/curl/curl.cpp | 1 + sdk/core/azure-core/src/http/transport_policy.cpp | 10 +++++----- .../azure-core/src/http/winhttp/win_http_transport.cpp | 6 ++++++ 5 files changed, 21 insertions(+), 5 deletions(-) diff --git a/sdk/core/azure-core/CHANGELOG.md b/sdk/core/azure-core/CHANGELOG.md index 10ffab6577..c7da3bdb05 100644 --- a/sdk/core/azure-core/CHANGELOG.md +++ b/sdk/core/azure-core/CHANGELOG.md @@ -5,6 +5,7 @@ ### Features Added - Added the ability to ignore invalid certificate common name for TLS connections in WinHTTP transport. +- Added `SslVerifyPeer` in `TransportOptions`. ### Breaking Changes diff --git a/sdk/core/azure-core/inc/azure/core/http/policies/policy.hpp b/sdk/core/azure-core/inc/azure/core/http/policies/policy.hpp index bbd6db90a0..4b972e8d39 100644 --- a/sdk/core/azure-core/inc/azure/core/http/policies/policy.hpp +++ b/sdk/core/azure-core/inc/azure/core/http/policies/policy.hpp @@ -173,6 +173,14 @@ namespace Azure { namespace Core { namespace Http { namespace Policies { */ bool EnableCertificateRevocationListCheck{false}; + /** + * @brief Verify peer's SSL certificate. + * + * @remark This field is only used if the customer has not specified a default transport + * adapter. If the customer has set a Transport adapter, this option is ignored. + */ + bool SslVerifyPeer{true}; + /** * @brief Base64 encoded DER representation of an X.509 certificate expected in the certificate * chain used in TLS connections. diff --git a/sdk/core/azure-core/src/http/curl/curl.cpp b/sdk/core/azure-core/src/http/curl/curl.cpp index facbe359b9..32db0d2d69 100644 --- a/sdk/core/azure-core/src/http/curl/curl.cpp +++ b/sdk/core/azure-core/src/http/curl/curl.cpp @@ -311,6 +311,7 @@ Azure::Core::Http::CurlTransportOptions CurlTransportOptionsFromTransportOptions curlOptions.SslOptions.PemEncodedExpectedRootCertificates = PemEncodeFromBase64(transportOptions.ExpectedTlsRootCertificate, "CERTIFICATE"); } + curlOptions.SslVerifyPeer = transportOptions.SslVerifyPeer; return curlOptions; } diff --git a/sdk/core/azure-core/src/http/transport_policy.cpp b/sdk/core/azure-core/src/http/transport_policy.cpp index 119dc31683..963a2215e2 100644 --- a/sdk/core/azure-core/src/http/transport_policy.cpp +++ b/sdk/core/azure-core/src/http/transport_policy.cpp @@ -28,11 +28,11 @@ namespace Azure { namespace Core { namespace Http { namespace Policies { namespa */ bool AreAnyTransportOptionsSpecified(TransportOptions const& transportOptions) { - return ( - transportOptions.HttpProxy.HasValue() || transportOptions.ProxyPassword.HasValue() - || transportOptions.ProxyUserName.HasValue() - || transportOptions.EnableCertificateRevocationListCheck - || !transportOptions.ExpectedTlsRootCertificate.empty()); + return (transportOptions.HttpProxy.HasValue() || transportOptions.ProxyPassword.HasValue() + || transportOptions.ProxyUserName.HasValue() + || transportOptions.EnableCertificateRevocationListCheck + || !transportOptions.ExpectedTlsRootCertificate.empty()) + || !transportOptions.SslVerifyPeer; } } // namespace diff --git a/sdk/core/azure-core/src/http/winhttp/win_http_transport.cpp b/sdk/core/azure-core/src/http/winhttp/win_http_transport.cpp index e32505bc1c..ed9a8140e2 100644 --- a/sdk/core/azure-core/src/http/winhttp/win_http_transport.cpp +++ b/sdk/core/azure-core/src/http/winhttp/win_http_transport.cpp @@ -765,6 +765,12 @@ WinHttpTransportOptions WinHttpTransportOptionsFromTransportOptions( httpOptions.IgnoreUnknownCertificateAuthority = true; } + if (!transportOptions.SslVerifyPeer) + { + httpOptions.IgnoreUnknownCertificateAuthority = true; + httpOptions.IgnoreInvalidCertificateCommonName = true; + } + return httpOptions; } } // namespace From 830da3533f9b6b1741c86bb4e0cf3a98798a3274 Mon Sep 17 00:00:00 2001 From: Jinming Hu Date: Fri, 24 Feb 2023 11:46:32 +0800 Subject: [PATCH 3/3] aaa --- sdk/core/azure-core/CHANGELOG.md | 2 +- .../azure-core/inc/azure/core/http/policies/policy.hpp | 9 +++++++-- sdk/core/azure-core/src/http/curl/curl.cpp | 2 +- sdk/core/azure-core/src/http/transport_policy.cpp | 2 +- .../azure-core/src/http/winhttp/win_http_transport.cpp | 2 +- 5 files changed, 11 insertions(+), 6 deletions(-) diff --git a/sdk/core/azure-core/CHANGELOG.md b/sdk/core/azure-core/CHANGELOG.md index c7da3bdb05..e99adf5f5a 100644 --- a/sdk/core/azure-core/CHANGELOG.md +++ b/sdk/core/azure-core/CHANGELOG.md @@ -5,7 +5,7 @@ ### Features Added - Added the ability to ignore invalid certificate common name for TLS connections in WinHTTP transport. -- Added `SslVerifyPeer` in `TransportOptions`. +- Added `DisableTlsCertificateValidation` in `TransportOptions`. ### Breaking Changes diff --git a/sdk/core/azure-core/inc/azure/core/http/policies/policy.hpp b/sdk/core/azure-core/inc/azure/core/http/policies/policy.hpp index 4b972e8d39..f23c6ef82e 100644 --- a/sdk/core/azure-core/inc/azure/core/http/policies/policy.hpp +++ b/sdk/core/azure-core/inc/azure/core/http/policies/policy.hpp @@ -174,12 +174,17 @@ namespace Azure { namespace Core { namespace Http { namespace Policies { bool EnableCertificateRevocationListCheck{false}; /** - * @brief Verify peer's SSL certificate. + * @brief Disable SSL/TLS certificate verification. This option allows transport layer to + * perform insecure SSL/TLS connections and skip SSL/TLS certificate checks while still having + * SSL/TLS-encrypted communications. + * + * @remark Disabling TLS security is generally a bad idea because it allows malicious actors to + * spoof the target server and should never be enabled in production code. * * @remark This field is only used if the customer has not specified a default transport * adapter. If the customer has set a Transport adapter, this option is ignored. */ - bool SslVerifyPeer{true}; + bool DisableTlsCertificateValidation{false}; /** * @brief Base64 encoded DER representation of an X.509 certificate expected in the certificate diff --git a/sdk/core/azure-core/src/http/curl/curl.cpp b/sdk/core/azure-core/src/http/curl/curl.cpp index 32db0d2d69..357bb5e50f 100644 --- a/sdk/core/azure-core/src/http/curl/curl.cpp +++ b/sdk/core/azure-core/src/http/curl/curl.cpp @@ -311,7 +311,7 @@ Azure::Core::Http::CurlTransportOptions CurlTransportOptionsFromTransportOptions curlOptions.SslOptions.PemEncodedExpectedRootCertificates = PemEncodeFromBase64(transportOptions.ExpectedTlsRootCertificate, "CERTIFICATE"); } - curlOptions.SslVerifyPeer = transportOptions.SslVerifyPeer; + curlOptions.SslVerifyPeer = !transportOptions.DisableTlsCertificateValidation; return curlOptions; } diff --git a/sdk/core/azure-core/src/http/transport_policy.cpp b/sdk/core/azure-core/src/http/transport_policy.cpp index 963a2215e2..ef001d07e8 100644 --- a/sdk/core/azure-core/src/http/transport_policy.cpp +++ b/sdk/core/azure-core/src/http/transport_policy.cpp @@ -32,7 +32,7 @@ namespace Azure { namespace Core { namespace Http { namespace Policies { namespa || transportOptions.ProxyUserName.HasValue() || transportOptions.EnableCertificateRevocationListCheck || !transportOptions.ExpectedTlsRootCertificate.empty()) - || !transportOptions.SslVerifyPeer; + || transportOptions.DisableTlsCertificateValidation; } } // namespace diff --git a/sdk/core/azure-core/src/http/winhttp/win_http_transport.cpp b/sdk/core/azure-core/src/http/winhttp/win_http_transport.cpp index ed9a8140e2..26481b88d7 100644 --- a/sdk/core/azure-core/src/http/winhttp/win_http_transport.cpp +++ b/sdk/core/azure-core/src/http/winhttp/win_http_transport.cpp @@ -765,7 +765,7 @@ WinHttpTransportOptions WinHttpTransportOptionsFromTransportOptions( httpOptions.IgnoreUnknownCertificateAuthority = true; } - if (!transportOptions.SslVerifyPeer) + if (transportOptions.DisableTlsCertificateValidation) { httpOptions.IgnoreUnknownCertificateAuthority = true; httpOptions.IgnoreInvalidCertificateCommonName = true;