Default using Windows Schannel for SSL/TLS on Windows

[solarispika]

Follow
https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certgetcertificatechain for related flags.

Closes #1978

[solarispika]

I noticed that there is verify_result_ for storing OpenSSL result and is retrieved by get_openssl_verify_result(), but I have no idea how to set it. Please advise.

[yhirose]

@solarispika sorry for the delay. According to this comment #1978 (comment), you mentioned you ended up bypassing CRL in your production server.

Do you think that the current pull request which doesn't have the bypassing code will affect a number of Windows users? If not many, I don't mind merging this code. But it has a risk to affect many users, I would like you to implement a feature flag like CPPHTTPLIB_USE_WINDOWS_AUTOMATIC_ROOT_CERTIFICATES_UPDATE. If it's not set, the original code will be used.

[solarispika]

Hi @yhirose

I am not sure how many of them will be, possibly the number being proportional to users located in China.
I can add a toggle for this feature.
It looks like you prefer users to enable this feature, but not users to disable it, right?

[yhirose]

@solarispika , (1) If a number of users will be affected by this, I prefer making it an opt-in feature with CPPHTTPLIB_USE_WINDOWS_AUTOMATIC_ROOT_CERTIFICATES_UPDATE.

(2) But if we expect only few users will be affected, we can enable this feature by the default and uses can disable it with CPPHTTPLIB_DISABLE_WINDOWS_AUTOMATIC_ROOT_CERTIFICATES_UPDATE.

I prefer #2.

[solarispika]

@yhirose
I agree with you on enabling the feature by default.
I also update CMake which enables the feature HTTPLIB_USE_WINDOWS_AUTOMATIC_ROOT_CERTIFICATES_UPDATE by default, and if disabled, define CPPHTTPLIB_DISABLE_WINDOWS_AUTOMATIC_ROOT_CERTIFICATES_UPDATE.

[yhirose]

Could you please take a look at unit test errors on 'test / windows with SSL (pull_request)'?

[solarispika]

Sure, it looks like #2169 saves openssl errors which I didn't notice.
I'll try to fix it.

[solarispika]

@yhirose

I found that it is hard to map errors between Win32 API and OpenSSL.

What do you recommend? Is it proper to mask those checks when Schannel is used?

[yhirose]

@solarispika I actually don't know what do to. Could you please investigate why those errors occur before making any change?

[solarispika]

@yhirose
These errors are due to #2169 adding ssl_error and ssl_openssl_error member functions to class Result for retrieving OpenSSL errors, and some tests being extended for these errors.

As those member functions are defined for OpenSSL, it is inappropriate for me to use it directly for errors coming from Windows API.