search

libcpr / cpr

C++ Requests: Curl for People, a spiritual port of Python Requests.
https://docs.libcpr.org/
Other
6.52k stars 928 forks source link

Disable verification of certificate revocation list during SSL negotiation (on development box)? #554

Closed rossbrin closed 3 years ago

rossbrin commented 3 years ago

Does cpr support any way to disable checking the certificate revocation list during an SSL negotiation? I'm on Windows 64, using Visual Studio 2019, with cpr version 1.5.2, libcurl v 7.74.0#4, and civetweb 1.13#1 as https host. cpr is installed on my machine using vcpkg which produces a x64-windows-static library. curl/libcurl are installed using vcpkg with the [schannel,tool] options specified.

The development box (softloft.localhost) running the https host has its own site certificate, there's a loopback in the hosts file to redirect softloft.localhost to 127.0.0.1 and the CA which signed the site certificate is stored in the windows certificate repository. Inside a browser, the page loads correctly. Command-line curl loads the page correctly with the following invocation:

curl -v https://softloft.local:443/example --ssl-no-revoke

libcurl supports the commandline --ssl-no-revoke flag via a call to curl_easy_setopt(curl, CURLOPT_SSL_OPTIONS, CURLSSLOPT_NO_REVOKE). However, cpr does not support CURLSSLOPT_NO_REVOKE which means that, unless SSL is disabled altogether by using cpr::VerifySsl(false), SSL verification will fail because there is no CRL set up.

Suggestion: , cpr could add curl_easy_setopt(curl, CURLOPT_SSL_OPTIONS, CURLSSLOPT_NO_REVOKE) as a new one-line function in session.cpp/hpp.

{
    cpr::Url      url;

    url  = "https://softloft.local/example";

    cpr::Response rfails = cpr::Get(url);                    // This fails with '{code=SSL_CONNECT_ERROR (10) message="schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate." }'
    cpr::Response rworks = cpr::Get(url, cpr::VerifySsl(0)); // Correct content, but SSL not verified, CRL not verified.
}

{
    std::string         response_string;

    curl_global_init(CURL_GLOBAL_DEFAULT);
    auto curl = curl_easy_init();
    if (curl)
    {
        curl_easy_setopt(curl, CURLOPT_SSL_OPTIONS, CURLSSLOPT_NO_REVOKE);
        curl_easy_setopt(curl, CURLOPT_URL, "https://softloft.local/example");
        curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, writeFunction);
        curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response_string);

        curl_easy_perform(curl);  // response_string has the right response.  SSL is verified.  CRL is not verified.  This is wished-for behavior
        curl_easy_cleanup(curl);
        curl_global_cleanup();
        curl = nullptr;
    }
}
COM8 commented 3 years ago

This is already possible. Here is an example:

SslOptions sslOpts = Ssl(ssl::NoRevoke{true});
Response response = cpr::Get(url, sslOpts, Verbose{});
rossbrin commented 3 years ago

Thanks for the reply. This (useful) feature was added to cpr two months ago and appeared in the 1.6.0 release last month. Vcpkg supports cpr 1.5.2 at this time, so I presume we must await for somebody within Microsoft to update vcpkg from cpr 1.5.2 to cpr 1.6.0.

https://github.com/microsoft/vcpkg/pull/14131

COM8 commented 3 years ago

Exactly. But anybody can submit a PR for vcpkg, updating packages.

bionicbeagle commented 3 years ago

FWIW it would be really great if vcpkg could be updated to 1.6.2 - I gave it a quick try earlier but it seems the CMake files have changed quite a bit and I couldn't quite figure out what was going wrong so I moved on for now.