Skip to content

Proposal: Default to Windows Automatic Root Certificates Update for Improved User Experience #1978

@solarispika

Description

@solarispika
Contributor

Hi @yhirose,

Following up on the discussion in #1431 (comment), I wanted to propose enabling Windows Automatic Root Certificates Update as the default behavior for cpp-httplib on Windows. This feature would enhance user experience by leveraging the latest system root certificates automatically, reducing the need for users to manually manage certificates.

Currently, users can achieve this functionality by setting a custom verification callback, but making it the default on Windows would streamline the setup and make cpp-httplib more convenient out of the box. Additionally, this default change could allow us to skip preloading system root certificates during client construction, minimizing initialization overhead and potentially improving performance.

Would love to hear your thoughts on this proposal, and whether you see it aligning with the project’s direction.

Thank you!

Activity

yhirose

yhirose commented on Feb 18, 2025

@yhirose
Owner

@solarispika sorry for the late reply. You suggestion sounds good to me. Could you please send a pull request? Thanks!

solarispika

solarispika commented on Mar 6, 2025

@solarispika
ContributorAuthor

Hi @yhirose,

Before submitting a PR, I’d like to share some field experience regarding enabling Windows Automatic Root Certificates Update by default.

After implementing this feature in our product using set_server_certificate_verifier(), we received support tickets reporting failed connections due to certificate verification errors. Upon investigation, we found that these failures were caused by the system being unable to download the Certificate Revocation List (CRL), leading to validation failures.

In one case, we tested a machine experiencing this issue and confirmed that the browser also couldn't reach the CRL distribution point, while other machines on the same LAN could. Interestingly, most reports of this issue came from users in China. Given the circumstances, we ultimately decided to bypass CRL checking in our validation, logging a warning when the problem occurs—particularly if the system language is set to Simplified Chinese.

I wanted to bring this to your attention and hear your thoughts on handling such cases in cpp-httplib. Looking forward to your input!

Thanks.

yhirose

yhirose commented on Mar 13, 2025

@yhirose
Owner

@solarispika, thanks for the report. Could you please send a pull request implementing this feature without the code bypassing the CRL checking?

added a commit that references this issue on Mar 24, 2025
f97e72c
added 2 commits that reference this issue on Jul 7, 2025
4661630
bb7c085
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      Participants

      @yhirose@solarispika

      Issue actions

        Proposal: Default to Windows Automatic Root Certificates Update for Improved User Experience · Issue #1978 · yhirose/cpp-httplib