From c872e7c74be7dcfe287b85ad44520b26e7e27916 Mon Sep 17 00:00:00 2001
From: kai lin <cailinn@amazon.com>
Date: Tue, 19 May 2026 14:35:09 -0400
Subject: [PATCH 1/5] [Feature]  Set CURLSSLOPT_REVOKE_BEST_EFFORT

---
 src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp b/src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp
index 657193f2e11..a1f06d2ff5c 100644
--- a/src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp
+++ b/src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp
@@ -744,6 +744,10 @@ std::shared_ptr<HttpResponse> CurlHttpClient::MakeRequest(const std::shared_ptr<
 #else
             curl_easy_setopt(connectionHandle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
 #endif
+
+#if defined(PLATFORM_WINDOWS) && LIBCURL_VERSION_NUM >= 0x074600 // 7.70.0
+            curl_easy_setopt(connectionHandle, CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT);
+#endif
         }
         else
         {

From 5d5139b078a824b2297e7ed61950cf076f3de63d Mon Sep 17 00:00:00 2001
From: kai lin <cailinn@amazon.com>
Date: Wed, 20 May 2026 11:24:49 -0400
Subject: [PATCH 2/5] [Feature]  Set CURLSSLOPT_REVOKE_BEST_EFFORT

---
 .../include/aws/core/client/ClientConfiguration.h          | 6 ++++++
 .../include/aws/core/http/curl/CurlHttpClient.h            | 1 +
 src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp   | 7 +++++--
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h b/src/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h
index 203022fa225..a6ef4b56ad7 100644
--- a/src/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h
+++ b/src/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h
@@ -301,6 +301,12 @@ namespace Aws
              * You probably shouldn't use this flag in a production scenario.
              */
             bool verifySSL = true;
+            /**
+             * If set to true, the SDK will not fail SSL connections when Certificate Revocation
+             * List (CRL) servers are unreachable. Only applies on Windows when using the curl
+             * HTTP client with Schannel. Off by default to maintain strict revocation checking.
+             */
+            bool allowCrlOffline = false;
             /**
              * If your Certificate Authority path is different from the default, you can tell
              * clients that aren't using the default trust store where to find your CA trust store.
diff --git a/src/aws-cpp-sdk-core/include/aws/core/http/curl/CurlHttpClient.h b/src/aws-cpp-sdk-core/include/aws/core/http/curl/CurlHttpClient.h
index 087ed8d2c6f..72820f9cfd3 100644
--- a/src/aws-cpp-sdk-core/include/aws/core/http/curl/CurlHttpClient.h
+++ b/src/aws-cpp-sdk-core/include/aws/core/http/curl/CurlHttpClient.h
@@ -65,6 +65,7 @@ class AWS_CORE_API CurlHttpClient: public HttpClient
     unsigned m_proxyPort = 0;
     Aws::String m_nonProxyHosts;
     bool m_verifySSL = true;
+    bool m_allowCrlOffline = false;
     Aws::String m_caPath;
     Aws::String m_caFile;
     Aws::String m_proxyCaPath;
diff --git a/src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp b/src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp
index a1f06d2ff5c..497f64e9048 100644
--- a/src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp
+++ b/src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp
@@ -608,7 +608,7 @@ CurlHttpClient::CurlHttpClient(const ClientConfiguration& clientConfig) :
     m_proxySSLCertPath(clientConfig.proxySSLCertPath), m_proxySSLCertType(clientConfig.proxySSLCertType),
     m_proxySSLKeyPath(clientConfig.proxySSLKeyPath), m_proxySSLKeyType(clientConfig.proxySSLKeyType),
     m_proxyKeyPasswd(clientConfig.proxySSLKeyPassword),
-    m_proxyPort(clientConfig.proxyPort), m_verifySSL(clientConfig.verifySSL), m_caPath(clientConfig.caPath),
+    m_proxyPort(clientConfig.proxyPort), m_verifySSL(clientConfig.verifySSL), m_allowCrlOffline(clientConfig.allowCrlOffline), m_caPath(clientConfig.caPath),
     m_caFile(clientConfig.caFile), m_proxyCaPath(clientConfig.proxyCaPath), m_proxyCaFile(clientConfig.proxyCaFile),
     m_disableExpectHeader(clientConfig.disableExpectHeader),
     m_enableHttpClientTrace(clientConfig.enableHttpClientTrace || FORCE_ENABLE_CURL_LOGGING),
@@ -746,7 +746,10 @@ std::shared_ptr<HttpResponse> CurlHttpClient::MakeRequest(const std::shared_ptr<
 #endif
 
 #if defined(PLATFORM_WINDOWS) && LIBCURL_VERSION_NUM >= 0x074600 // 7.70.0
-            curl_easy_setopt(connectionHandle, CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT);
+            if (m_allowCrlOffline)
+            {
+                curl_easy_setopt(connectionHandle, CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT);
+            }
 #endif
         }
         else

From 8f938b0316994d0dc3c38bb65c3d9aa90f2efa01 Mon Sep 17 00:00:00 2001
From: kai lin <cailinn@amazon.com>
Date: Wed, 20 May 2026 12:57:30 -0400
Subject: [PATCH 3/5] [Feature]  Set CURLSSLOPT_REVOKE_BEST_EFFORT

---
 src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp b/src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp
index 497f64e9048..6caf353ebcc 100644
--- a/src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp
+++ b/src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp
@@ -750,6 +750,8 @@ std::shared_ptr<HttpResponse> CurlHttpClient::MakeRequest(const std::shared_ptr<
             {
                 curl_easy_setopt(connectionHandle, CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT);
             }
+#else
+            AWS_UNREFERENCED_PARAM(m_allowCrlOffline);
 #endif
         }
         else

From bfc2c11798c6d4aeea5826501400b7f0fafb21ad Mon Sep 17 00:00:00 2001
From: kai lin <cailinn@amazon.com>
Date: Wed, 20 May 2026 16:39:02 -0400
Subject: [PATCH 4/5] changed the naming of config, and changed comment, and
 changed unreferenced to void

---
 .../aws/core/client/ClientConfiguration.h       | 17 +++++++++++------
 .../include/aws/core/http/curl/CurlHttpClient.h |  2 +-
 .../source/http/curl/CurlHttpClient.cpp         |  6 +++---
 3 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/src/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h b/src/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h
index a6ef4b56ad7..e8da4f538e1 100644
--- a/src/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h
+++ b/src/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h
@@ -301,12 +301,6 @@ namespace Aws
              * You probably shouldn't use this flag in a production scenario.
              */
             bool verifySSL = true;
-            /**
-             * If set to true, the SDK will not fail SSL connections when Certificate Revocation
-             * List (CRL) servers are unreachable. Only applies on Windows when using the curl
-             * HTTP client with Schannel. Off by default to maintain strict revocation checking.
-             */
-            bool allowCrlOffline = false;
             /**
              * If your Certificate Authority path is different from the default, you can tell
              * clients that aren't using the default trust store where to find your CA trust store.
@@ -494,6 +488,17 @@ namespace Aws
               bool useAnonymousAuth = false;
             } winHTTPOptions;
 
+            /**
+             * Configuration that is specifically used for the curl http client
+             */
+            struct CurlOptions {
+              /**
+               * If set to true, SSL connections will use best-effort revocation checking,
+               * proceeding even when CRL servers are unreachable. Off by default.
+               */
+              bool revokeBestEffort = false;
+            } curlOptions;
+
           /**
             * The AWS account ID. Used for account-based endpoint routing. An AWS account ID has a format like 111122223333.
             * Account-based endpoint routing provides better request performance for some services.
diff --git a/src/aws-cpp-sdk-core/include/aws/core/http/curl/CurlHttpClient.h b/src/aws-cpp-sdk-core/include/aws/core/http/curl/CurlHttpClient.h
index 72820f9cfd3..5dca8be738f 100644
--- a/src/aws-cpp-sdk-core/include/aws/core/http/curl/CurlHttpClient.h
+++ b/src/aws-cpp-sdk-core/include/aws/core/http/curl/CurlHttpClient.h
@@ -65,7 +65,7 @@ class AWS_CORE_API CurlHttpClient: public HttpClient
     unsigned m_proxyPort = 0;
     Aws::String m_nonProxyHosts;
     bool m_verifySSL = true;
-    bool m_allowCrlOffline = false;
+    bool m_revokeBestEffort = false;
     Aws::String m_caPath;
     Aws::String m_caFile;
     Aws::String m_proxyCaPath;
diff --git a/src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp b/src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp
index 6caf353ebcc..5733c65c1d3 100644
--- a/src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp
+++ b/src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp
@@ -608,7 +608,7 @@ CurlHttpClient::CurlHttpClient(const ClientConfiguration& clientConfig) :
     m_proxySSLCertPath(clientConfig.proxySSLCertPath), m_proxySSLCertType(clientConfig.proxySSLCertType),
     m_proxySSLKeyPath(clientConfig.proxySSLKeyPath), m_proxySSLKeyType(clientConfig.proxySSLKeyType),
     m_proxyKeyPasswd(clientConfig.proxySSLKeyPassword),
-    m_proxyPort(clientConfig.proxyPort), m_verifySSL(clientConfig.verifySSL), m_allowCrlOffline(clientConfig.allowCrlOffline), m_caPath(clientConfig.caPath),
+    m_proxyPort(clientConfig.proxyPort), m_verifySSL(clientConfig.verifySSL), m_revokeBestEffort(clientConfig.curlOptions.revokeBestEffort), m_caPath(clientConfig.caPath),
     m_caFile(clientConfig.caFile), m_proxyCaPath(clientConfig.proxyCaPath), m_proxyCaFile(clientConfig.proxyCaFile),
     m_disableExpectHeader(clientConfig.disableExpectHeader),
     m_enableHttpClientTrace(clientConfig.enableHttpClientTrace || FORCE_ENABLE_CURL_LOGGING),
@@ -746,12 +746,12 @@ std::shared_ptr<HttpResponse> CurlHttpClient::MakeRequest(const std::shared_ptr<
 #endif
 
 #if defined(PLATFORM_WINDOWS) && LIBCURL_VERSION_NUM >= 0x074600 // 7.70.0
-            if (m_allowCrlOffline)
+            if (m_revokeBestEffort)
             {
                 curl_easy_setopt(connectionHandle, CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT);
             }
 #else
-            AWS_UNREFERENCED_PARAM(m_allowCrlOffline);
+            (void)m_revokeBestEffort;
 #endif
         }
         else

From 6a0e4d7f135503e8a6ef974597efddd4c6026794 Mon Sep 17 00:00:00 2001
From: kai lin <cailinn@amazon.com>
Date: Wed, 20 May 2026 16:51:12 -0400
Subject: [PATCH 5/5] added a warning for the config and changed it to not be
 windows only

---
 src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp b/src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp
index 5733c65c1d3..6a16d7c9b2e 100644
--- a/src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp
+++ b/src/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp
@@ -745,13 +745,17 @@ std::shared_ptr<HttpResponse> CurlHttpClient::MakeRequest(const std::shared_ptr<
             curl_easy_setopt(connectionHandle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
 #endif
 
-#if defined(PLATFORM_WINDOWS) && LIBCURL_VERSION_NUM >= 0x074600 // 7.70.0
+#if LIBCURL_VERSION_NUM >= 0x074600 // 7.70.0
             if (m_revokeBestEffort)
             {
                 curl_easy_setopt(connectionHandle, CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT);
             }
 #else
-            (void)m_revokeBestEffort;
+            if (m_revokeBestEffort)
+            {
+                AWS_LOGSTREAM_WARN(CURL_HTTP_CLIENT_TAG,
+                    "curlOptions.revokeBestEffort requires libcurl >= 7.70.0");
+            }
 #endif
         }
         else