Describe the bug
SSL connections via CurlHttpClient fail on Windows when Certificate Revocation List (CRL) servers are unreachable. Schannel (the Windows libcurl SSL backend) performs mandatory CRL checking during the SSL handshake, and the SDK does not set CURLSSLOPT_REVOKE_BEST_EFFORT to handle offline revocation servers.
Regression Issue
Expected Behavior
SSL connections succeed when the certificate itself is valid, even if the CRL distribution point is unreachable.
Current Behavior
SSL connections fail with:
curlCode: 35, SSL connect error
Details: schannel: next InitializeSecurityContext failed: CRYPT_E_REVOCATION_OFFLINE (0x80092013)
- The revocation function was unable to check revocation because the revocation server was offline.
Reproduction Steps
- On a Windows machine, block outbound HTTP (port 80) to Amazon CRL endpoints (e.g., crl.r2m02.amazontrust.com) via firewall
- Use the AWS C++ SDK to make any HTTPS request (e.g., S3 ListObjects)
- The connection fails with curlCode 35 / CRYPT_E_REVOCATION_OFFLINE
Possible Solution
Add CURLSSLOPT_REVOKE_BEST_EFFORT in CurlHttpClient.cpp inside the if (m_verifySSL) block (aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp:735) :
#if LIBCURL_VERSION_NUM >= 0x074600 // 7.70.0
curl_easy_setopt(connectionHandle, CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT);
#endif
This tells Schannel to proceed if the CRL server is offline while still checking revocation when reachable. SSL peer/host verification remains fully enabled.
Additional Information/Context
No response
AWS CPP SDK version used
1.11.747
Compiler and Version used
MSVC (Visual Studio 2022)
Operating System and version
Windows Server 2019/2022
Describe the bug
SSL connections via CurlHttpClient fail on Windows when Certificate Revocation List (CRL) servers are unreachable. Schannel (the Windows libcurl SSL backend) performs mandatory CRL checking during the SSL handshake, and the SDK does not set CURLSSLOPT_REVOKE_BEST_EFFORT to handle offline revocation servers.
Regression Issue
Expected Behavior
SSL connections succeed when the certificate itself is valid, even if the CRL distribution point is unreachable.
Current Behavior
SSL connections fail with:
curlCode: 35, SSL connect error
Details: schannel: next InitializeSecurityContext failed: CRYPT_E_REVOCATION_OFFLINE (0x80092013)
- The revocation function was unable to check revocation because the revocation server was offline.
Reproduction Steps
Possible Solution
Add CURLSSLOPT_REVOKE_BEST_EFFORT in CurlHttpClient.cpp inside the if (m_verifySSL) block (aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp:735) :
#if LIBCURL_VERSION_NUM >= 0x074600 // 7.70.0
curl_easy_setopt(connectionHandle, CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT);
#endif
This tells Schannel to proceed if the CRL server is offline while still checking revocation when reachable. SSL peer/host verification remains fully enabled.
Additional Information/Context
No response
AWS CPP SDK version used
1.11.747
Compiler and Version used
MSVC (Visual Studio 2022)
Operating System and version
Windows Server 2019/2022