WinHttp TLS is completely disabled if m_verifySSL is false
renjipanicker opened this issue · 1 comments
Describe the bug
In the file;:
aws-cpp-sdk-core/source/http/windows/WinHttpSyncHttpClient.cpp
Line 541 (in function OpenRequest):
DWORD requestFlags = request->GetUri().GetScheme() == Scheme::HTTPS && m_verifySSL ? WINHTTP_FLAG_SECURE : 0;
This code passes 0 instead of WINHTTP_FLAG_SECURE if m_verifySSL is false. Therefore the connection is not TLS enabled.
This is incorrect behaviour.
Expected Behavior
If the scheme is HTTPS and m_verifySSL is false, it should initiate a TLS connection, and ignore certificate errors.
Current Behavior
If the scheme is HTTPS and m_verifySSL is false, it initiates a non-TLS connection.
Reproduction Steps
Create an outgoing HTTPS request to S3, and set m_verifySSL to false.
Use Wireshark or equivalent to observe that the connection is not TLS enabled.
Possible Solution
Remove the && m_verifySSL from the condition.
Additional Information/Context
No response
AWS CPP SDK version used
1.11.285
Compiler and Version used
Visual Studio 2019
Operating System and version
Windows Server 2019
Thanks for finding this bug and pointing it out to us. We are working on a fix.