Does cpr support any way to disable checking the certificate revocation list during an SSL negotiation? I'm on Windows 64, using Visual Studio 2019, with cpr version 1.5.2, libcurl v 7.74.0#4, and civetweb 1.13#1 as https host. cpr is installed on my machine using vcpkg which produces a x64-windows-static library. curl/libcurl are installed using vcpkg with the [schannel,tool] options specified.
The development box (softloft.localhost) running the https host has its own site certificate, there's a loopback in the hosts file to redirect softloft.localhost to 127.0.0.1 and the CA which signed the site certificate is stored in the windows certificate repository. Inside a browser, the page loads correctly. Command-line curl loads the page correctly with the following invocation:
curl -v https://softloft.local:443/example --ssl-no-revoke
libcurl supports the commandline --ssl-no-revoke flag via a call to curl_easy_setopt(curl, CURLOPT_SSL_OPTIONS, CURLSSLOPT_NO_REVOKE). However, cpr does not support CURLSSLOPT_NO_REVOKE which means that, unless SSL is disabled altogether by using cpr::VerifySsl(false), SSL verification will fail because there is no CRL set up.
Suggestion: , cpr could add curl_easy_setopt(curl, CURLOPT_SSL_OPTIONS, CURLSSLOPT_NO_REVOKE) as a new one-line function in session.cpp/hpp.
{
cpr::Url url;
url = "https://softloft.local/example";
cpr::Response rfails = cpr::Get(url); // This fails with '{code=SSL_CONNECT_ERROR (10) message="schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate." }'
cpr::Response rworks = cpr::Get(url, cpr::VerifySsl(0)); // Correct content, but SSL not verified, CRL not verified.
}
{
std::string response_string;
curl_global_init(CURL_GLOBAL_DEFAULT);
auto curl = curl_easy_init();
if (curl)
{
curl_easy_setopt(curl, CURLOPT_SSL_OPTIONS, CURLSSLOPT_NO_REVOKE);
curl_easy_setopt(curl, CURLOPT_URL, "https://softloft.local/example");
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, writeFunction);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response_string);
curl_easy_perform(curl); // response_string has the right response. SSL is verified. CRL is not verified. This is wished-for behavior
curl_easy_cleanup(curl);
curl_global_cleanup();
curl = nullptr;
}
}
Does cpr support any way to disable checking the certificate revocation list during an SSL negotiation? I'm on Windows 64, using Visual Studio 2019, with cpr version 1.5.2, libcurl v 7.74.0#4, and civetweb 1.13#1 as https host. cpr is installed on my machine using vcpkg which produces a x64-windows-static library. curl/libcurl are installed using vcpkg with the [schannel,tool] options specified.
The development box (softloft.localhost) running the https host has its own site certificate, there's a loopback in the hosts file to redirect softloft.localhost to 127.0.0.1 and the CA which signed the site certificate is stored in the windows certificate repository. Inside a browser, the page loads correctly. Command-line curl loads the page correctly with the following invocation:
curl -v https://softloft.local:443/example --ssl-no-revokelibcurl supports the commandline
--ssl-no-revokeflag via a call tocurl_easy_setopt(curl, CURLOPT_SSL_OPTIONS, CURLSSLOPT_NO_REVOKE). However, cpr does not supportCURLSSLOPT_NO_REVOKEwhich means that, unless SSL is disabled altogether by usingcpr::VerifySsl(false), SSL verification will fail because there is no CRL set up.Suggestion: , cpr could add
curl_easy_setopt(curl, CURLOPT_SSL_OPTIONS, CURLSSLOPT_NO_REVOKE)as a new one-line function in session.cpp/hpp.