Skip to content

Allow NO_SSL_VERIFY in RawHttpMessageHandler. #3883

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 31, 2025
Merged

Allow NO_SSL_VERIFY in RawHttpMessageHandler. #3883

merged 1 commit into from
May 31, 2025

Conversation

TingluoHuang
Copy link
Member

No description provided.

@Copilot Copilot AI review requested due to automatic review settings May 30, 2025 22:30
@TingluoHuang TingluoHuang requested a review from a team as a code owner May 30, 2025 22:30
Copilot
Copilot AI reviewed May 30, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces support for skipping SSL certificate validation in RawHttpMessageHandler when the GITHUB_ACTIONS_RUNNER_TLS_NO_VERIFY environment variable is set.

  • Applies the configured ServerCertificateValidationCallback to the transport handler in RawHttpMessageHandler once per handler for HTTPS requests.
  • Adds a backing field (m_appliedServerCertificateValidationCallbackToTransportHandler) to track application of the callback.
  • Updates VssUtil to set RawClientHttpRequestSettings.Default.ServerCertificateValidationCallback alongside the existing setting.

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
src/Sdk/Common/Common/RawHttpMessageHandler.cs Apply ServerCertificateValidationCallback on HTTPS transport handlers and track with a flag.
src/Runner.Sdk/Util/VssUtil.cs Configure RawClientHttpRequestSettings for NO_SSL_VERIFY environment variable.
Comments suppressed due to low confidence (2)

src/Sdk/Common/Common/RawHttpMessageHandler.cs:109

  • Use the Uri.UriSchemeHttps constant and a case-insensitive comparison for clarity and consistency, e.g., request.RequestUri.Scheme.Equals(Uri.UriSchemeHttps, StringComparison.OrdinalIgnoreCase).
if (!m_appliedServerCertificateValidationCallbackToTransportHandler && request.RequestUri.Scheme == "https")

src/Sdk/Common/Common/RawHttpMessageHandler.cs:109

  • Add unit tests under Test/L0 to verify that when GITHUB_ACTIONS_RUNNER_TLS_NO_VERIFY is enabled, RawHttpMessageHandler correctly applies the DangerousAcceptAnyServerCertificateValidator callback.
if (!m_appliedServerCertificateValidationCallbackToTransportHandler && request.RequestUri.Scheme == "https")

src/Runner.Sdk/Util/VssUtil.cs
@@ -38,6 +38,7 @@ public static void InitializeVssClientSettings(List<ProductInfoHeaderValue> addi
if (StringUtil.ConvertToBoolean(Environment.GetEnvironmentVariable("GITHUB_ACTIONS_RUNNER_TLS_NO_VERIFY")))
{
VssClientHttpRequestSettings.Default.ServerCertificateValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
RawClientHttpRequestSettings.Default.ServerCertificateValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
Copy link
Preview

Copilot AI May 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] Update the public README or configuration documentation to mention the new GITHUB_ACTIONS_RUNNER_TLS_NO_VERIFY environment variable and its effect on raw HTTP handlers.

Copilot uses AI. Check for mistakes.

@TingluoHuang TingluoHuang enabled auto-merge (squash) May 30, 2025 22:57
@TingluoHuang TingluoHuang disabled auto-merge May 30, 2025 22:58
@TingluoHuang TingluoHuang merged commit acf3f2b into main May 31, 2025
16 checks passed
@TingluoHuang TingluoHuang deleted the users/tihuang/cert branch May 31, 2025 02:48
This was referenced Jun 3, 2025
Merged
Merged
sirredbeard pushed a commit to sirredbeard/runner that referenced this pull request Jun 11, 2025
@TingluoHuang @sirredbeard
Allow NO_SSL_VERIFY in RawHttpMessageHandler. (actions#3883)
954cb4c
sirredbeard pushed a commit to sirredbeard/runner that referenced this pull request Jun 11, 2025
@TingluoHuang @sirredbeard
Allow NO_SSL_VERIFY in RawHttpMessageHandler. (actions#3883)
9f3ecfb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@ericsciple ericsciple ericsciple approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@TingluoHuang @ericsciple