Skip to content

[Feature] Set CURLSSLOPT_REVOKE_BEST_EFFORT#3831

Open
kai-ion wants to merge 6 commits into
mainfrom
revocation
Open

[Feature] Set CURLSSLOPT_REVOKE_BEST_EFFORT#3831
kai-ion wants to merge 6 commits into
mainfrom
revocation

Conversation

@kai-ion
Copy link
Copy Markdown
Collaborator

@kai-ion kai-ion commented May 20, 2026

Set CURLSSLOPT_REVOKE_BEST_EFFORT

Issue #, if available:
#3830

Description of changes:
Add CURLSSLOPT_REVOKE_BEST_EFFORT in CurlHttpClient.cpp

Check all that applies:

  • Did a review by yourself.
  • Added proper tests to cover this PR. (If tests are not applicable, explain.)
  • Checked if this PR is a breaking (APIs have been changed) change.
  • Checked if this PR will not introduce cross-platform inconsistent behavior.
  • Checked if this PR would require a ReadMe/Wiki update.

Check which platforms you have built SDK on to verify the correctness of this PR.

  • Linux
  • Windows
  • Android
  • MacOS
  • IOS
  • Other Platforms

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

kai-ion and others added 4 commits May 19, 2026 14:35
@kai-ion
[Feature]
c872e7c 
 Set CURLSSLOPT_REVOKE_BEST_EFFORT
@kai-ion
[Feature]
5d5139b 
 Set CURLSSLOPT_REVOKE_BEST_EFFORT
@kai-ion
[Feature]
8f938b0 
 Set CURLSSLOPT_REVOKE_BEST_EFFORT
@kai-ion
Merge branch 'main' into revocation
e9988e0
sbiscigl
sbiscigl reviewed May 20, 2026
View reviewed changes
Comment thread src/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h Outdated
bool verifySSL = true;
/**
* If set to true, the SDK will not fail SSL connections when Certificate Revocation
* List (CRL) servers are unreachable. Only applies on Windows when using the curl
Copy link
Copy Markdown
Collaborator

@sbiscigl sbiscigl May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only applies on Windows when using the curl HTTP client with Schannel

this is flat out untrue, this configuration is only for setting CURLSSLOPT_REVOKE_BEST_EFFORT update the documentation to reflect this.

additionally we have configuration for specifically windows http we should likely have one for curl if one doesnt already exist and this should be a configuration in there.

Comment thread src/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h Outdated
* List (CRL) servers are unreachable. Only applies on Windows when using the curl
* HTTP client with Schannel. Off by default to maintain strict revocation checking.
*/
bool allowCrlOffline = false;
Copy link
Copy Markdown
Collaborator

@sbiscigl sbiscigl May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is this called allowCrlOffline, it has to do with CURLSSLOPT_REVOKE_BEST_EFFORT, this should be named to reflect

Comment thread src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp Outdated
curl_easy_setopt(connectionHandle, CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT);
}
#else
AWS_UNREFERENCED_PARAM(m_allowCrlOffline);
Copy link
Copy Markdown
Collaborator

@sbiscigl sbiscigl May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is a member variable, not a parameter why are we using AWS_UNREFERENCED_PARAM?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sbiscigl sbiscigl sbiscigl left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kai-ion @sbiscigl