Skip to content

WinHttp TLS is completely disabled if m_verifySSL is falseΒ #3008

New issue
New issue
Closed
Closed
WinHttp TLS is completely disabled if m_verifySSL is false#3008
Assignees
SergeyRyabinin
Labels
bugThis issue is a bug.needs-reviewThis issue or pull request needs review from a core team member.p2This is a standard priority issue
@renjipanicker

Description

@renjipanicker
renjipanicker
opened on Jun 18, 2024

Describe the bug

In the file;:
aws-cpp-sdk-core/source/http/windows/WinHttpSyncHttpClient.cpp

Line 541 (in function OpenRequest):
DWORD requestFlags = request->GetUri().GetScheme() == Scheme::HTTPS && m_verifySSL ? WINHTTP_FLAG_SECURE : 0;

This code passes 0 instead of WINHTTP_FLAG_SECURE if m_verifySSL is false. Therefore the connection is not TLS enabled.

This is incorrect behaviour.

Expected Behavior

If the scheme is HTTPS and m_verifySSL is false, it should initiate a TLS connection, and ignore certificate errors.

Current Behavior

If the scheme is HTTPS and m_verifySSL is false, it initiates a non-TLS connection.

Reproduction Steps

Create an outgoing HTTPS request to S3, and set m_verifySSL to false.
Use Wireshark or equivalent to observe that the connection is not TLS enabled.

Possible Solution

Remove the && m_verifySSL from the condition.

Additional Information/Context

No response

AWS CPP SDK version used

1.11.285

Compiler and Version used

Visual Studio 2019

Operating System and version

Windows Server 2019

Metadata

Metadata

Assignees

Labels

bugThis issue is a bug.needs-reviewThis issue or pull request needs review from a core team member.p2This is a standard priority issue

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions