Merge pull request #687 from ZekeSnider/certificate-revocation-client…

…-config Disable cert revocation check if cert validation is disabled
microsoft · Aug 1, 2018 · 35f721d · 35f721d
2 parents ee2cde6 + 074590c
commit 35f721d
Show file tree

Hide file tree

Showing 2 changed files with 73 additions and 21 deletions.
diff --git a/Release/src/http/client/http_client_winhttp.cpp b/Release/src/http/client/http_client_winhttp.cpp
@@ -667,7 +667,7 @@ class winhttp_client : public _http_client_communicator
         }
 
         // Enable the certificate revocation check
-        if (m_secure)
+        if (m_secure && client_config().validate_certificates())
         {
             DWORD dwEnableSSLRevocOpt = WINHTTP_ENABLE_SSL_REVOCATION;
             if (!WinHttpSetOption(winhttp_context->m_request_handle, WINHTTP_OPTION_ENABLE_FEATURE, &dwEnableSSLRevocOpt, sizeof(dwEnableSSLRevocOpt)))

diff --git a/Release/tests/functional/http/client/outside_tests.cpp b/Release/tests/functional/http/client/outside_tests.cpp
@@ -75,7 +75,7 @@ TEST_FIXTURE(uri_address, outside_wikipedia_compressed_http_response)
 
     auto s = response.extract_utf8string().get();
     VERIFY_IS_FALSE(s.empty());
-    
+
     utility::string_t encoding;
     VERIFY_IS_TRUE(response.headers().match(web::http::header_names::content_encoding, encoding));
 
@@ -93,14 +93,14 @@ TEST_FIXTURE(uri_address, outside_google_dot_com)
         VERIFY_ARE_EQUAL(status_codes::OK, response.status_code());
     }
 }
-    
+
 TEST_FIXTURE(uri_address, multiple_https_requests)
 {
     handle_timeout([&]
     {
         // Use code.google.com instead of www.google.com, which redirects
         http_client client(U("https://code.google.com"));
-    
+
         http_response response;
         for(int i = 0; i < 5; ++i)
         {
@@ -155,38 +155,90 @@ TEST_FIXTURE(uri_address, no_transfer_encoding_content_length)
 // https://www.ssllabs.com/ssltest/
 // http://www.internetsociety.org/deploy360/resources/dane-test-sites/
 // https://onlinessl.netlock.hu/#
-TEST(server_selfsigned_cert)
+static void test_failed_ssl_cert(const uri& base_uri)
 {
-    handle_timeout([]
+    handle_timeout([&base_uri]
     {
-        http_client client(U("https://self-signed.badssl.com/"));
+        http_client client(base_uri);
         auto requestTask = client.request(methods::GET);
         VERIFY_THROWS(requestTask.get(), http_exception);
     });
 }
 
-TEST(server_hostname_mismatch)
+#if !defined(__cplusplus_winrt)
+static void test_ignored_ssl_cert(const uri& base_uri)
 {
-    handle_timeout([]
+    handle_timeout([&base_uri]
     {
-        http_client client(U("https://wrong.host.badssl.com/"));
-        auto requestTask = client.request(methods::GET);
-        VERIFY_THROWS(requestTask.get(), http_exception);
+        http_client_config config;
+        config.set_validate_certificates(false);
+        http_client client(base_uri, config);
+        auto request = client.request(methods::GET).get();
+        VERIFY_ARE_EQUAL(status_codes::OK, request.status_code());
     });
 }
+#endif // !defined(__cplusplus_winrt)
+
+TEST(server_selfsigned_cert)
+{
+    test_failed_ssl_cert(U("https://self-signed.badssl.com/"));
+}
+
+#if !defined(__cplusplus_winrt)
+TEST(server_selfsigned_cert_ignored)
+{
+    test_ignored_ssl_cert(U("https://self-signed.badssl.com/"));
+}
+#endif // !defined(__cplusplus_winrt)
+
+TEST(server_hostname_mismatch)
+{
+    test_failed_ssl_cert(U("https://wrong.host.badssl.com/"));
+}
+
+#if !defined(__cplusplus_winrt)
+TEST(server_hostname_mismatch_ignored)
+{
+    test_ignored_ssl_cert(U("https://wrong.host.badssl.com/"));
+}
+#endif // !defined(__cplusplus_winrt)
 
 TEST(server_cert_expired)
 {
-    handle_timeout([]
-    {
-        http_client_config config;
-        config.set_timeout(std::chrono::seconds(1));
-        http_client client(U("https://expired.badssl.com/"), config);
-        auto requestTask = client.request(methods::GET);
-        VERIFY_THROWS(requestTask.get(), http_exception);
-    });
+    test_failed_ssl_cert(U("https://expired.badssl.com/"));
+}
+
+#if !defined(__cplusplus_winrt)
+TEST(server_cert_expired_ignored)
+{
+    test_ignored_ssl_cert(U("https://expired.badssl.com/"));
+}
+#endif // !defined(__cplusplus_winrt)
+
+TEST(server_cert_revoked)
+{
+    test_failed_ssl_cert(U("https://revoked.badssl.com/"));
+}
+
+#if !defined(__cplusplus_winrt)
+TEST(server_cert_revoked_ignored)
+{
+    test_ignored_ssl_cert(U("https://revoked.badssl.com/"));
+}
+#endif // !defined(__cplusplus_winrt)
+
+TEST(server_cert_untrusted)
+{
+    test_failed_ssl_cert(U("https://untrusted-root.badssl.com/"));
 }
 
+#if !defined(__cplusplus_winrt)
+TEST(server_cert_untrusted_ignored)
+{
+    test_ignored_ssl_cert(U("https://untrusted-root.badssl.com/"));
+}
+#endif // !defined(__cplusplus_winrt)
+
 #if !defined(__cplusplus_winrt)
 TEST(ignore_server_cert_invalid,
      "Ignore:Android", "229",
@@ -204,7 +256,7 @@ TEST(ignore_server_cert_invalid,
         VERIFY_ARE_EQUAL(status_codes::OK, request.status_code());
     });
 }
-#endif
+#endif // !defined(__cplusplus_winrt)
 
 TEST_FIXTURE(uri_address, outside_ssl_json)
 {