Skip to content
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions sdk/core/azure-core/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@

### Features Added

- Added the ability to ignore invalid certificate common name for TLS connections in WinHTTP transport.
- Added `SslVerifyPeer` in `TransportOptions`.

### Breaking Changes

### Bugs Fixed
Expand Down
8 changes: 8 additions & 0 deletions sdk/core/azure-core/inc/azure/core/http/policies/policy.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,14 @@ namespace Azure { namespace Core { namespace Http { namespace Policies {
*/
bool EnableCertificateRevocationListCheck{false};

/**
* @brief Verify peer's SSL certificate.
*
* @remark This field is only used if the customer has not specified a default transport
* adapter. If the customer has set a Transport adapter, this option is ignored.
*/
bool SslVerifyPeer{true};
Comment thread
Jinming-Hu marked this conversation as resolved.
Outdated

/**
* @brief Base64 encoded DER representation of an X.509 certificate expected in the certificate
* chain used in TLS connections.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,11 @@ namespace Azure { namespace Core {
*/
bool IgnoreUnknownCertificateAuthority{false};

/**
* @brief When `true`, allows an invalid common name in a certificate.
*/
bool IgnoreInvalidCertificateCommonName{false};

/**
* Proxy information.
*/
Expand Down
1 change: 1 addition & 0 deletions sdk/core/azure-core/src/http/curl/curl.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -311,6 +311,7 @@ Azure::Core::Http::CurlTransportOptions CurlTransportOptionsFromTransportOptions
curlOptions.SslOptions.PemEncodedExpectedRootCertificates
= PemEncodeFromBase64(transportOptions.ExpectedTlsRootCertificate, "CERTIFICATE");
}
curlOptions.SslVerifyPeer = transportOptions.SslVerifyPeer;
return curlOptions;
}

Expand Down
10 changes: 5 additions & 5 deletions sdk/core/azure-core/src/http/transport_policy.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -28,11 +28,11 @@ namespace Azure { namespace Core { namespace Http { namespace Policies { namespa
*/
bool AreAnyTransportOptionsSpecified(TransportOptions const& transportOptions)
{
return (
transportOptions.HttpProxy.HasValue() || transportOptions.ProxyPassword.HasValue()
|| transportOptions.ProxyUserName.HasValue()
|| transportOptions.EnableCertificateRevocationListCheck
|| !transportOptions.ExpectedTlsRootCertificate.empty());
return (transportOptions.HttpProxy.HasValue() || transportOptions.ProxyPassword.HasValue()
|| transportOptions.ProxyUserName.HasValue()
|| transportOptions.EnableCertificateRevocationListCheck
|| !transportOptions.ExpectedTlsRootCertificate.empty())
|| !transportOptions.SslVerifyPeer;
}
} // namespace

Expand Down
16 changes: 16 additions & 0 deletions sdk/core/azure-core/src/http/winhttp/win_http_transport.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -765,6 +765,12 @@ WinHttpTransportOptions WinHttpTransportOptionsFromTransportOptions(
httpOptions.IgnoreUnknownCertificateAuthority = true;
}

if (!transportOptions.SslVerifyPeer)
{
httpOptions.IgnoreUnknownCertificateAuthority = true;
httpOptions.IgnoreInvalidCertificateCommonName = true;
}

return httpOptions;
}
} // namespace
Expand Down Expand Up @@ -918,6 +924,16 @@ _detail::WinHttpRequest::WinHttpRequest(
}
}

if (options.IgnoreInvalidCertificateCommonName)
{
auto option = SECURITY_FLAG_IGNORE_CERT_CN_INVALID;
if (!WinHttpSetOption(
m_requestHandle.get(), WINHTTP_OPTION_SECURITY_FLAGS, &option, sizeof(option)))
{
GetErrorAndThrow("Error while setting ignore invalid certificate common name.");
}
}

if (options.EnableCertificateRevocationListCheck)
{
DWORD value = WINHTTP_ENABLE_SSL_REVOCATION;
Expand Down