fix verify ssl on windows, add option for anonymous auth

aws · Feb 25, 2025 · 75fc818 · 75fc818
1 parent 50f3795
commit 75fc818
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 3 deletions.
diff --git a/src/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h b/src/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h
@@ -453,6 +453,18 @@ namespace Aws
              * Provide TelemetryProvider here or via a factory method.
              */
             std::shared_ptr<smithy::components::tracing::TelemetryProvider> telemetryProvider;
+
+            /**
+             * Configuration that is specifically used for the windows http client
+             */
+            struct WinHTTPOptions {
+              /**
+               * Sets the windows http client to use WINHTTP_NO_CLIENT_CERT_CONTEXT when connecting
+               * to a service, specifically only useful when disabling ssl verification and using
+               * a different type of authentication.
+               */
+              bool useAnonymousAuth = false;
+            } winHTTPOptions;
         };
 
         /**

diff --git a/src/aws-cpp-sdk-core/include/aws/core/http/windows/WinHttpSyncHttpClient.h b/src/aws-cpp-sdk-core/include/aws/core/http/windows/WinHttpSyncHttpClient.h
@@ -59,6 +59,7 @@ namespace Aws
 
             bool m_usingProxy = false;
             bool m_verifySSL = true;
+            bool m_useAnonymousAuth = false;
             Aws::Http::Version m_version = Aws::Http::Version::HTTP_VERSION_2TLS;
             Aws::WString m_proxyUserName;
             Aws::WString m_proxyPassword;

diff --git a/src/aws-cpp-sdk-core/source/http/windows/WinHttpSyncHttpClient.cpp b/src/aws-cpp-sdk-core/source/http/windows/WinHttpSyncHttpClient.cpp
@@ -402,7 +402,8 @@ WinHttpSyncHttpClient::WinHttpSyncHttpClient(const ClientConfiguration& config)
     Base(),
     m_usingProxy(!config.proxyHost.empty()),
     m_verifySSL(config.verifySSL),
-    m_version(config.version)
+    m_version(config.version),
+    m_useAnonymousAuth(config.winHTTPOptions.useAnonymousAuth)
 {
     m_enableHttpClientTrace = config.enableHttpClientTrace;
 
@@ -533,7 +534,10 @@ void* WinHttpSyncHttpClient::OpenRequest(const std::shared_ptr<HttpRequest>& req
 {
     LPCWSTR accept[2] = { nullptr, nullptr };
 
-    DWORD requestFlags = request->GetUri().GetScheme() == Scheme::HTTPS && m_verifySSL ? WINHTTP_FLAG_SECURE : 0;
+    DWORD requestFlags{0};
+    if (request->GetUri().GetScheme() == Scheme::HTTPS) {
+        requestFlags |= WINHTTP_FLAG_SECURE;
+    }
     if (m_usingProxy) {
         // Avoid force adding "Cache-Control: no-cache" header.
         requestFlags |= WINHTTP_FLAG_REFRESH;
@@ -569,11 +573,22 @@ void* WinHttpSyncHttpClient::OpenRequest(const std::shared_ptr<HttpRequest>& req
 
     if (!m_verifySSL) // Turning ssl unknown ca verification off
     {
-        DWORD flags = SECURITY_FLAG_IGNORE_UNKNOWN_CA | SECURITY_FLAG_IGNORE_CERT_CN_INVALID;
+        DWORD flags = SECURITY_FLAG_IGNORE_UNKNOWN_CA |
+            SECURITY_FLAG_IGNORE_CERT_CN_INVALID |
+            SECURITY_FLAG_IGNORE_CERT_DATE_INVALID |
+            SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE;
         if (!AzCallWinHttp("WinHttpSetOption", WinHttpSetOption, hHttpRequest, WINHTTP_OPTION_SECURITY_FLAGS, &flags, (DWORD) sizeof(flags)))
         {
             AWS_LOGSTREAM_FATAL(GetLogTag(), "Failed to turn ssl cert ca verification off.");
         }
+
+        if (m_useAnonymousAuth)
+        {
+            if (!WinHttpSetOption(hHttpRequest, WINHTTP_OPTION_CLIENT_CERT_CONTEXT, WINHTTP_NO_CLIENT_CERT_CONTEXT, 0))
+            {
+                AWS_LOGSTREAM_FATAL(GetLogTag(), "Failed to set anonymous auth on.");
+            }
+        }
     }
 
     if (!GetConnectionPoolManager()->GetEnableTcpKeepAlive())