You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Following up on the discussion in #1431 (comment), I wanted to propose enabling Windows Automatic Root Certificates Update as the default behavior for cpp-httplib on Windows. This feature would enhance user experience by leveraging the latest system root certificates automatically, reducing the need for users to manually manage certificates.
Currently, users can achieve this functionality by setting a custom verification callback, but making it the default on Windows would streamline the setup and make cpp-httplib more convenient out of the box. Additionally, this default change could allow us to skip preloading system root certificates during client construction, minimizing initialization overhead and potentially improving performance.
Would love to hear your thoughts on this proposal, and whether you see it aligning with the project’s direction.
Before submitting a PR, I’d like to share some field experience regarding enabling Windows Automatic Root Certificates Update by default.
After implementing this feature in our product using set_server_certificate_verifier(), we received support tickets reporting failed connections due to certificate verification errors. Upon investigation, we found that these failures were caused by the system being unable to download the Certificate Revocation List (CRL), leading to validation failures.
In one case, we tested a machine experiencing this issue and confirmed that the browser also couldn't reach the CRL distribution point, while other machines on the same LAN could. Interestingly, most reports of this issue came from users in China. Given the circumstances, we ultimately decided to bypass CRL checking in our validation, logging a warning when the problem occurs—particularly if the system language is set to Simplified Chinese.
I wanted to bring this to your attention and hear your thoughts on handling such cases in cpp-httplib. Looking forward to your input!
Activity
yhirose commentedon Feb 18, 2025
@solarispika sorry for the late reply. You suggestion sounds good to me. Could you please send a pull request? Thanks!
solarispika commentedon Mar 6, 2025
Hi @yhirose,
Before submitting a PR, I’d like to share some field experience regarding enabling Windows Automatic Root Certificates Update by default.
After implementing this feature in our product using set_server_certificate_verifier(), we received support tickets reporting failed connections due to certificate verification errors. Upon investigation, we found that these failures were caused by the system being unable to download the Certificate Revocation List (CRL), leading to validation failures.
In one case, we tested a machine experiencing this issue and confirmed that the browser also couldn't reach the CRL distribution point, while other machines on the same LAN could. Interestingly, most reports of this issue came from users in China. Given the circumstances, we ultimately decided to bypass CRL checking in our validation, logging a warning when the problem occurs—particularly if the system language is set to Simplified Chinese.
I wanted to bring this to your attention and hear your thoughts on handling such cases in cpp-httplib. Looking forward to your input!
Thanks.
yhirose commentedon Mar 13, 2025
@solarispika, thanks for the report. Could you please send a pull request implementing this feature without the code bypassing the CRL checking?
Default using Windows Schannel for SSL/TLS on Windows
Default using Windows Schannel for SSL/TLS on Windows
Default using Windows Schannel for SSL/TLS on Windows