search

libcpr / cpr

C++ Requests: Curl for People, a spiritual port of Python Requests.
https://docs.libcpr.org/
Other
6.52k stars 928 forks source link

ssl::NoRevoke{true} option is ignored #861

Closed aleshagladk closed 1 year ago

aleshagladk commented 1 year ago

Description

This issue is related to discussion in https://github.com/libcpr/cpr/issues/554. Apparently the following check-in: https://github.com/libcpr/cpr/commit/121718221a511801aa8abb7fa6e5900f340371e9, overridden the value of ssl::NoRevoke option due to the addition of the following call to Session::PrepareCommon() function:

#if LIBCURL_VERSION_MAJOR >= 7
#if LIBCURL_VERSION_MINOR >= 71
    // Fix loading certs from Windows cert store when using OpenSSL:
    curl_easy_setopt(curl_->handle, CURLOPT_SSL_OPTIONS, CURLSSLOPT_NATIVE_CA);
#endif
#endif

CURLSSLOPT_NATIVE_CA parameter will force curve NO REVOKE flag to be set to false.

Example/How to Reproduce

Consider the following example to test this:

cpr::SslOptions sslOpts = cpr::Ssl( cpr::ssl::NoRevoke{ true } );
cpr::Response response = cpr::Get(cpr::Url{ "https://github.com" }, sslOpts, cpr::Verbose{});

First curl no_revoke parameter will be correctly set to true in Session::SetSslOptions() by: curl_easy_setopt(curl_->handle, CURLOPT_SSL_OPTIONS, CURLSSLOPT_NO_REVOKE); Then, it will be overridden back to false in PrepareCommon() as stated above.

Possible Fix

No response

Where did you get it from?

vcpkg

Additional Context/Your Environment

COM8 commented 1 year ago

Thanks for reporting! Would you like to create a PR for it?

aleshagladk commented 1 year ago

Thanks for reporting! Would you like to create a PR for it?

Thanks for looking into this issue, Fabian. I can create a pull request, but I do not have an idea for how to fix it. I'm happy to contribute with testing though should there be a way to build a dev branch with vcpkg distribution. This feature is important when revocation cannot be performed for https request due to, e.g. an extra security measures to hide callers real ip. Hence, it might not be straightforward to create a relevant test case.

COM8 commented 1 year ago

Sadly, there is now dev package for vcpkg from our side, since we do not maintain the vcpkg package.

I will try to have a look at it over the next couple of days.

COM8 commented 1 year ago

https://github.com/libcpr/cpr/pull/889