Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal: Default to Windows Automatic Root Certificates Update for Improved User Experience #1978

Open
solarispika opened this issue Nov 15, 2024 · 3 comments · May be fixed by #2116
Open

Proposal: Default to Windows Automatic Root Certificates Update for Improved User Experience #1978

solarispika opened this issue Nov 15, 2024 · 3 comments · May be fixed by #2116
Labels
enhancement

Comments

@solarispika
Copy link
Contributor

Hi @yhirose,

Following up on the discussion in #1431 (comment), I wanted to propose enabling Windows Automatic Root Certificates Update as the default behavior for cpp-httplib on Windows. This feature would enhance user experience by leveraging the latest system root certificates automatically, reducing the need for users to manually manage certificates.

Currently, users can achieve this functionality by setting a custom verification callback, but making it the default on Windows would streamline the setup and make cpp-httplib more convenient out of the box. Additionally, this default change could allow us to skip preloading system root certificates during client construction, minimizing initialization overhead and potentially improving performance.

Would love to hear your thoughts on this proposal, and whether you see it aligning with the project’s direction.

Thank you!
@yhirose
Copy link
Owner

yhirose commented Feb 18, 2025

@solarispika sorry for the late reply. You suggestion sounds good to me. Could you please send a pull request? Thanks!

@solarispika
Copy link
Contributor Author

Hi @yhirose,

Before submitting a PR, I’d like to share some field experience regarding enabling Windows Automatic Root Certificates Update by default.

After implementing this feature in our product using set_server_certificate_verifier(), we received support tickets reporting failed connections due to certificate verification errors. Upon investigation, we found that these failures were caused by the system being unable to download the Certificate Revocation List (CRL), leading to validation failures.

In one case, we tested a machine experiencing this issue and confirmed that the browser also couldn't reach the CRL distribution point, while other machines on the same LAN could. Interestingly, most reports of this issue came from users in China. Given the circumstances, we ultimately decided to bypass CRL checking in our validation, logging a warning when the problem occurs—particularly if the system language is set to Simplified Chinese.

I wanted to bring this to your attention and hear your thoughts on handling such cases in cpp-httplib. Looking forward to your input!

Thanks.

@yhirose
Copy link
Owner

yhirose commented Mar 13, 2025

@solarispika, thanks for the report. Could you please send a pull request implementing this feature without the code bypassing the CRL checking?

solarispika added a commit to solarispika/cpp-httplib that referenced this issue Mar 24, 2025
@solarispika
Default using Windows Schannel for SSL/TLS on Windows
f97e72c 
Follow
https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certgetcertificatechain
for related flags.

Closes yhirose#1978
@solarispika solarispika linked a pull request Mar 24, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Default using Windows Schannel for SSL/TLS on Windows solarispika/cpp-httplib
2 participants
@yhirose @solarispika