From 75fc818bfbe1fbeaa7187827fd6b2f12e0cc8c3b Mon Sep 17 00:00:00 2001 From: sbiscigl Date: Mon, 24 Feb 2025 17:51:28 -0500 Subject: [PATCH] fix verify ssl on windows, add option for anonymous auth --- .../aws/core/client/ClientConfiguration.h | 12 +++++++++++ .../core/http/windows/WinHttpSyncHttpClient.h | 1 + .../http/windows/WinHttpSyncHttpClient.cpp | 21 ++++++++++++++++--- 3 files changed, 31 insertions(+), 3 deletions(-) diff --git a/src/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h b/src/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h index 97b75797e2c..13e5458da7b 100644 --- a/src/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h +++ b/src/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h @@ -453,6 +453,18 @@ namespace Aws * Provide TelemetryProvider here or via a factory method. */ std::shared_ptr telemetryProvider; + + /** + * Configuration that is specifically used for the windows http client + */ + struct WinHTTPOptions { + /** + * Sets the windows http client to use WINHTTP_NO_CLIENT_CERT_CONTEXT when connecting + * to a service, specifically only useful when disabling ssl verification and using + * a different type of authentication. + */ + bool useAnonymousAuth = false; + } winHTTPOptions; }; /** diff --git a/src/aws-cpp-sdk-core/include/aws/core/http/windows/WinHttpSyncHttpClient.h b/src/aws-cpp-sdk-core/include/aws/core/http/windows/WinHttpSyncHttpClient.h index 4556b150e70..61e3b0c4a3c 100644 --- a/src/aws-cpp-sdk-core/include/aws/core/http/windows/WinHttpSyncHttpClient.h +++ b/src/aws-cpp-sdk-core/include/aws/core/http/windows/WinHttpSyncHttpClient.h @@ -59,6 +59,7 @@ namespace Aws bool m_usingProxy = false; bool m_verifySSL = true; + bool m_useAnonymousAuth = false; Aws::Http::Version m_version = Aws::Http::Version::HTTP_VERSION_2TLS; Aws::WString m_proxyUserName; Aws::WString m_proxyPassword; diff --git a/src/aws-cpp-sdk-core/source/http/windows/WinHttpSyncHttpClient.cpp b/src/aws-cpp-sdk-core/source/http/windows/WinHttpSyncHttpClient.cpp index 9c82caa6811..c18b78b52ff 100644 --- a/src/aws-cpp-sdk-core/source/http/windows/WinHttpSyncHttpClient.cpp +++ b/src/aws-cpp-sdk-core/source/http/windows/WinHttpSyncHttpClient.cpp @@ -402,7 +402,8 @@ WinHttpSyncHttpClient::WinHttpSyncHttpClient(const ClientConfiguration& config) Base(), m_usingProxy(!config.proxyHost.empty()), m_verifySSL(config.verifySSL), - m_version(config.version) + m_version(config.version), + m_useAnonymousAuth(config.winHTTPOptions.useAnonymousAuth) { m_enableHttpClientTrace = config.enableHttpClientTrace; @@ -533,7 +534,10 @@ void* WinHttpSyncHttpClient::OpenRequest(const std::shared_ptr& req { LPCWSTR accept[2] = { nullptr, nullptr }; - DWORD requestFlags = request->GetUri().GetScheme() == Scheme::HTTPS && m_verifySSL ? WINHTTP_FLAG_SECURE : 0; + DWORD requestFlags{0}; + if (request->GetUri().GetScheme() == Scheme::HTTPS) { + requestFlags |= WINHTTP_FLAG_SECURE; + } if (m_usingProxy) { // Avoid force adding "Cache-Control: no-cache" header. requestFlags |= WINHTTP_FLAG_REFRESH; @@ -569,11 +573,22 @@ void* WinHttpSyncHttpClient::OpenRequest(const std::shared_ptr& req if (!m_verifySSL) // Turning ssl unknown ca verification off { - DWORD flags = SECURITY_FLAG_IGNORE_UNKNOWN_CA | SECURITY_FLAG_IGNORE_CERT_CN_INVALID; + DWORD flags = SECURITY_FLAG_IGNORE_UNKNOWN_CA | + SECURITY_FLAG_IGNORE_CERT_CN_INVALID | + SECURITY_FLAG_IGNORE_CERT_DATE_INVALID | + SECURITY_FLAG_IGNORE_CERT_WRONG_USAGE; if (!AzCallWinHttp("WinHttpSetOption", WinHttpSetOption, hHttpRequest, WINHTTP_OPTION_SECURITY_FLAGS, &flags, (DWORD) sizeof(flags))) { AWS_LOGSTREAM_FATAL(GetLogTag(), "Failed to turn ssl cert ca verification off."); } + + if (m_useAnonymousAuth) + { + if (!WinHttpSetOption(hHttpRequest, WINHTTP_OPTION_CLIENT_CERT_CONTEXT, WINHTTP_NO_CLIENT_CERT_CONTEXT, 0)) + { + AWS_LOGSTREAM_FATAL(GetLogTag(), "Failed to set anonymous auth on."); + } + } } if (!GetConnectionPoolManager()->GetEnableTcpKeepAlive())